Cortex 2: a Sneak Peek

Unless you’ve been living in a cave with no Internet connection during the last year or so, you certainly know a thing or two about Cortex, TheHive’s perfect sidekick, which allows you to analyze observables, at scale, using its 30+ analyzers.

As of this writing, the latest version of Cortex is 1.1.4. Cortex can be queried using its Web UI for quick assessment of an observable. But the true power of Cortex is unleashed when the engine is queried through its REST API, either from TheHive (which can leverage multiple Cortex instances), from alternative SIRPs (Security Incident Response Platforms), Threat Intelligence Platforms and programs thanks to Cortex4py. Indeed, when Cortex is called through the API, it can analyze large sets of observables. Each analysis generates a job. Jobs are queued on first-created, first-executed basis.

However, Cortex 1 has three limitations:

  1. It does not support authentication. If you install it and don’t shield it from abuse (using a firewall for example), anyone can submit analysis jobs and consume your query quotas for subscription-based, commercial services, for example. Non-CSIRT/CERT/SOC personnel or threat actors can also view all the jobs you’ve executed (what observables you have analyzed, using which analyzers and what the associated results were).
  2. It does not support rate-limiting. All it takes to ruin your quotas is an unexperienced analyst who’d create a case in TheHive from a MISP event containing thousands of attributes, select them all from the newly created case, and run them through various Cortex analyzers.
  3. It has no persistence. If you restart the Cortex service or the host it runs on, all your analysis results will disappear. Please note that if you query Cortex from TheHive, the latter will keep a copy of all the reports generated by the analyzers.

Moreover, analyzer configuration is not as easy as we’d like it to be. Enters Cortex 2.

Authentication, Organizations, Configuration and Rate Limiting

Cortex 2, due for release in February 2018, almost a year after the release of the first version, will support all the authentication methods TheHive supports: LDAP, Active Directory, local accounts, API keys and/or SSO using X.509 certificates (an experimental feature as of this writing).

Once created, users will be associated to an organization. Each organization has its own configuration: which analyzers are enabled, associated API keys and/or authentication credentials for services (VirusTotal, PassiveTotal, MISP, …) and a query quota.

For example, if you have an overall quota on VT for 10,000 queries/month, you can limit the number of queries to 5000 for org A, 3000 for org B and leave 2000 for other uses. Rate limits can be configured per month or per day.

Screen Shot 2017-12-15 at 17.16.06
Cortex 2 — Architecture

More on Organizations

Organizations will be ideal for multi-tenant Cortex instances deployed, for a example, by the central CSIRT of a large company. They can then create orgs for their regional SOCs. Commercial teams such as MSSPs will also be able to use a single instance to serve all their customers.

Graphical Interface Enhancements

Administrators will not have to edit /etc/cortex/application.conf by hand to enable and configure analyzers per org. They will be able to do so from the Web UI. The Web UI will also allow them to manage users, orgs and authentication tokens when applicable.

Report Persistence and Freshness

Cortex 2 will use ES 5 for storage, like TheHive. That way, you will no longer lose your existing jobs when you reboot the Cortex host or restart the service. You will also be able to query historical results to monitor changes and so on. We will also add an optional parameter to make Cortex 2 to serve the latest report generated by an analyzer if it is called again, on the same observable in the last X seconds or minutes. That way, we’ll avoid running the same queries again and again for the same observable and thus consuming quotas and CPU and storage resources.

Pricing

Cortex 2 is a significant development over Cortex 1 … but it’ll still cost you nothing as it will remain free and open source. We could feel you itching when you started reading this paragraph. Chill out! But if you are willing to support the project, you can donate to Creative Source, the non-profit organization we have created to sustain TheHive, Cortex and Hippocampe in the long run. Interested? Contact us at support@thehive-project.org then.

Creative Source, a New Ally and a New Home

The Chefs who’ve been working hard to create delicious recipes in TheHive Project’s code kitchen are happy to announce the establishment of Creative Source, a non-profit organization, which aims to support TheHive, Cortex and Hippocampe.

Who’s behind this NPO?

Creative Source is co-managed by all the members of TheHive Project’s core team: Nabil Adouani, Thomas Franco, Danni Co, Saâd Kadhi and Jérôme Léonard. Work is in progress to provide Creative Source with a Web face.

What Will you Provide through It?

We have already started working with a couple of large organizations to provide trainings, limited support and assistance in Cortex analyzer development. All the money Creative Source is going to gain will serve to further support the project and keep refining our recipes to make them even more palatable.

If you are interested in funding the project, training your analysts or if you are looking for professional assistance with our products, please contact us at support@thehive-project.org.

Will TheHive, Cortex and Hippocampe Stay Free?

Don’t you dare ask that question! TheHive, Cortex and Hippocampe will stay free and open source in the foreseeable future as we are deeply committed in helping the global fight against cybercrime to the best of our abilities.

New Ally

We are also very happy to announce that Nils Kuhnert (a.k.a. @0x3c7 on Twitter), a longtime contributor, has now joined TheHive Project! We are no longer a pure French project, damn! 😉

Nils, who created many analyzers, will work mainly with Jérôme to deal with existing and new ones and absorb the numerous pull requests that have been piling up for many months. Welcome on board Nils!

New Home

IMG_4034
Author : Saâd Kadhi

To accommodate Nils and future members, our code and documentation will leave the lofty shelter of CERT-BDF‘s Github and move to https://github.com/orgs/TheHive-Project/  on Wed Dec 20, 2017. Save the date folks!

Cortex Hits the 30 Analyzers Mark

Cortex has now 30 analyzers thanks to Daniil Yugoslavskiy, Davide Arcuri and Andrea Garavaglia (from LDO-CERT) as well as our longtime friend Sébastien Larinier. Their contributions, all under an AGPLv3 license, add handy ways to assess observables and obtain invaluable insight to an already solid Threat Intelligence and DFIR toolset.

In addition to these 3 new analyzers, v 1.7.0 of the Cortex-Analyzers repository also fixes a number of bugs and add a few improvements to existing analyzers as well.

To get the new release, go to your existing Cortex-Analyzers folder and run git pull.

HybridAnalysis

The HybridAnalysis analyzer has been contributed by Daniil Yugoslavskiy. It fetches Hybrid Analysis reports associated with hashes and filenames. This analyzer comes in only one flavor called HybridAnalysis_GetReport.

Requirements

You need to have or create a free Hybrid Analysis account.  Follow the instructions outlined on the Hybrid Analysis API page to generate an API key/secret pair. Provide the API key as a value for the key parameter and the secret as a value to the secret parameter, add the lines below to the config section of /etc/cortex/application.conf then restart the cortex service.

HybridAnalysis {
  secret = "mysecret"
  key = "myAPIKEY"
}

When run from TheHive, the analyzer produces short and long reports such as the following:

sc-short-hybridanalysis_1_0.png

TheHive: HybridAnalysis 1.0 Analyzer – Short and Long Report Samples
TheHive: HybridAnalysis 1.0 Analyzer – Short and Long Report Samples

EmergingThreats

The EmergingThreats analyzer has been submitted by Davide Arcuri and Andrea Garavaglia  from LDO-CERT. It leverages Proofpoint’s Emerging Threats Intelligence service to assess the reputation of various observables and obtain additional and valuable information on malware.

The service comes in three flavors:

  • EmergingThreats_DomainInfo: retrieve ET reputation, related malware, and IDS requests for a given domain.
  • EmergingThreats_IPInfo: retrieve ET reputation, related malware, and IDS requests for a given IP address.
  • EmergingThreats_MalwareInfo: retrieve ET details and info related to a malware hash.

Requirements

You need a valid Proofpoint ET Intelligence subscription.  Retrieve the API key associated with your account and provide it as a value to the key parameter, add the lines below to the config section of /etc/cortex/application.conf then restart the cortex service.

 EmergingThreats {
   key="MYETINTELKEYGOESHERE"
 }

When run from TheHive, it produces short and long reports such as the following:

sc-short-ET_1_0.png

sc-long-ET-1_1_0.png

sc-long-ET-2_1_0.png

sc-long-ET-3_1_0.png

sc-long-ET-4_1_0.png

sc-long-ET-5_1_0.png
TheHive: EmergingThreats 1.0 Analyzer – Short and Long Report Samples

Shodan

The Shodan analyzer is the first submission by Sébastien Larinier. It lets you retrieve key Shodan information on domains and IP addresses.

This analyzer comes in two flavors:

  • Shodan_Host: get Shodan information on a host.
  • Shodan_Search: get Shodan information on a domain.

Requirements

You need to create a Shodan account and retrieve the associated API Key. For
best results, it is advised to get a Membership level account, otherwise a free one can be used.

Supply the API key as the value for the key parameter, add the lines below to the config section of /etc/cortex/application.conf then restart the cortex service.

Shodan {
  key= "myawesomeapikey"
}

When run from TheHive, it produces short and long reports such as the following:

sc-short-shodan_1_0.png

sc-long-shodan_1_0.png
TheHive: Shodan 1.0 Analyzer – Short and Long Report Samples

Miscellaneous Fixes and Improvements

  • #100 : support both Cuckoo versions – by Garavaglia Andrea
  • #113 : Cuckoo Analyzer requires final slash – by Garavaglia Andrea
  • #93 : VirusTotal URL Scan Bug
  • #101 : Missing olefile in MsgParser requirements
  • #126 : PhishTank analyzer doesn’t work – by Ilya Glotov

Update TheHive Report Templates

If you are using TheHive, get the last version of  the report templates and import them into TheHive.

Running Into Trouble?

Shall you encounter any difficulty, please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!

Training VM Updated with Mellifera 13.2

Two days after the release of  Mellifera 13.2 (TheHive 2.13.2), we have updated the training VM with this version. You can download it from the following location:

https://drive.google.com/file/d/0B3G-Due88gfQMGZ2RjRlc1RfQ2M/view?usp=sharing

To ensure that your download went through nicely, check the file’s SHA256 hash which must be equal to the following value:

15dc0a1d1ef099abd852fefff3a12c1b752573c01b133fc6e643dd2fceb1d46f

The system’s login is thehive and the associated password is thehive1234.

Use It

You can start using TheHive & Cortex once the VM is started. To access TheHive, point your browser to the following URL:

http://IP_OF_VM:9000

For Cortex, the port is 9999:

http://IP_OF_VM:9999

Where to Go from Here?

Please read the associated documentation page to configure the services on your training virtual machine and plug it with MISP.

Need Help?

Something does not work as expected? No worries, we got you covered. Please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

Training VM Reloaded: Mellifera 13, Cortex 1.1.4 & Other Updates

After the release wagon we unleashed upon the Internet tracks last week, we have updated the training VM to include Mellifera 13 (TheHive 2.13.0), Cortex 1.1.4, TheHive4py 1.3.0, Cortex4py 1.1.0 and the latest Cortex analyzers with all dependencies.

We strongly encourage you to refrain from using it for production.

Get It

You can download the VM from the following location:

https://drive.google.com/file/d/0B3G-Due88gfQajViaS01Ym1hdW8/view?usp=sharing

To ensure that your download went through nicely, check the file’s SHA256 hash which must be equal to the following value:

93176fffdbdd47cb8457efe10fb8c783eddd7895a18c8ca75a7c6bae316b081b

The system’s login is thehive and the associated password is thehive1234.

Use It

You can start using TheHive & Cortex once the VM is started. To access TheHive, point your browser to the following URL:

http://IP_OF_VM:9000

For Cortex, the port is 9999:

http://IP_OF_VM:9999

Where to Go from Here?

Please read the associated documentation page to configure the services on your training virtual machine and plug it with MISP.

Need Help?

Something does not work as expected? No worries, we got you covered. Please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

Cortex 1.1.4 Released

Moments ago, we have announced the release of Mellifera 13, TheHive4py 1.3.0, and Cortex4py. And since we don’t want to leave you wanting for more fun time, you may want to schedule as well a Cortex update shall you need it 😉

Implemented Enhancements

  • Disable analyzer in configuration file #32
  • Group ownership in Docker image prevents running on OpenShift #42

Fixed Bugs

  • Cortex removes the input details from failure reports #38
  • Display a error notification on analyzer start fail #39

Download & Get Down to Work

To update your current Cortex installation, follow the instructions of the installation guide. Before doing so, you may want to save the job reports that were not executed via TheHive. Cortex 1 has no persistence and restarting the service will wipe out any existing reports.

Please note that you can install Cortex using an RPM or DEB package, deploy it using an Ansible script, use Docker, install it from a binary or build it from sources.

Support

Something does not work as expected? You have troubles installing or upgrading? No worries, please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

Introducing Cortex4py

Following popular demand, the chefs at TheHive Project‘s code kitchen are happy to announce the immediate availability of Cortex4py.

What Is It?

Cortex4py is a Python API client for Cortex, a powerful observable analysis engine where observables such as IP and email addresses, URLs, domain names, files or hashes can be analyzed one by one using a Web interface or en masse through the API.

Cortex4py allows analysts to automate these operations and submit observables in bulk mode through the Cortex REST API from alternative SIRP platforms (TheHive has native support for one or multiple Cortex instances) and custom scripts.

 

Use It

To install the client, use PIP:

$ sudo pip install cortex4py

 

How Much Does it Cost?

Cortex4py is released under an AGPL license as all the other products we publish to help the IR community fight the good fight. So apart from the effort it’ll cost you to install and use, the price of our software is nada, zero, rien. But if you are willing to contribute one way or another, do not hesitate to drop us an email at support@thehive-project.org or contact us via Twitter.

Support

Something does not work as expected? You have troubles installing or upgrading? No worries, please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.