For many months, we have been concentrating our efforts on TheHive 4, the next major version of your favourite Security Incident Response Platform, which we’ll finally provide RBAC (or multi-tenancy if you prefer), a feature that Cortex had for quite some time now.
As you well know, both TheHive and Cortex rely on Elasticsearch (ES) for storage. The choice of ES made sense in the beginning of the project but as we added additional features and had new ideas to give you the best experience possible, we faced several ES quirks and shortcomings that proved challenging if not outright blocking for making our roadmap a reality, including RBAC implementation in TheHive, a far more complex endeavour than RBAC in Cortex. Transitioning from ES to graph databases was necessary and since we want our existing users to have a smooth migration path, TheHive 4 (the first release candidate should come out of the oven by the end of the year) will support both ES and graph databases.
But while we were focusing on that, we completely lost sight of the end of life of ES 5.6 so we wrote an apology to you, our dear users, back in May.
Shortly after, we released TheHive 3.4.0-RC1, to add support for ES 6 (with all the breaking changes it has introduced). We also did the same for Cortex with the release of Cortex 3.0.0-RC3. We also took that opportunity to clear out some AngularJS technodebt we had.
We then asked you to take them for a spin and report back any bugs you find given that both versions had to support ES 5.6 and ES 6 to allow for proper migration.
After a few rounds of release candidates, we are pleased to announce the immediate availability of TheHive 3.4.0 and Cortex 3.0.0 as stable releases.
This analyzer lets you check if an IP address has been registered in your DNS sinkhole. TheHive displays the analyzer results as follows:
This analyzer lets you determine whether an IP address has been reported as a threat on Cisco Talos Intelligence service. No special access to the service is required to run the analyzer.
TheHive displays the analyzer results as follows:
This analyzer has been enriched to display SHA-1 fingerprints. The long report format has been updated to reflect this new information.
FileInfo has been updated and is now able to parse PDF files and extract IOCs such as URLs, hosts, domains, IPs, hashes and many more.The analyzer does also support the last version of the extract-msg library.
VirusTotal and Python3
The VirusTotal analyzer, including all its flavours, now uses Python3 and an updated virustotal-api library.
Yeti API key
An optional API key can now be configured and used by the Yeti analyzer.
A hash computation has been fixed in this analyzer.
A first fix has been introduced to avoid this analyzer to crash when there is no content-description in content_header, and a second has been added to correct a header display issue.
IBM XForce Lookup
The analyzer has been improved to allow users to add a trailing / at the end of the API URL without breaking everything.
Updating your Analyzers in Cortex 2.x
Each analyzer and responder comes with its own, pip compatible requirements.txt file. Run the following commands to update your Cortex analyzers to the latest version:
cd path/to/Cortex-Analyzers git pull for I in analyzers/*/requirements.txt; do sudo -H pip2 install -U -r $I || true; done && \ for I in analyzers/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done for I in responders/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done
If you want to use dockerised analyzers and responders, ensure that the URL of the catalog.json file corresponding to the Cortex-Analyzers repository is registered inapplication.conf. Please note that this won’t work if you are tracking the stable catalog.
After doing so, do not forget to login to Cortex as an orgadmin, click on the Refresh Analyzers button, then Disable and Enable again each analyzer and responder. Analyzer (and responder) updates should occur automatically as long as docker.autoUpdate is set to true in application.conf (this is the default setting).
Update TheHive Report Templates
If you are using TheHive, you must import the new report templates in your instance as follows:
As we announced on May 14, 2019, we have been working very hard to add Elasticsearch 6 support to TheHive and Cortex as Elasticsearch 5.x went the way of the dodo when Elastic plugged life support off this venerable version. We also took this occasion to upgrade AngularJS and its sub projects to 1.7.8, the latest 1.x version as of this writing. Additionally, Grunt build dependencies have also been updated to their latest compatible versions.
It took us more time than initially foreseen but hey, we all love deadlines. We all love the whooshing noise they make as they go by.
TheHive 3.4.0-RC1 and Cortex 3.0.0-RC3 are now available on every Internet pipe near you and before you take them for a spin to help us identify any issues to make the stable releases rock-solid, let us walk you through some important information. Relax and grab a drink (and send good wine our way, we can always use some!).
In addition to ES5 and 6 support and the update of AngularJS, this version corrects a few bugs that were identified in the latest stable version (3.3.1) and adds a few features. The most important one in our opinion is the ability to import a file from a Cortex report. This requires Cortex 3.0.0-RC3. The full list of changes is available at the following location.
ES5 and ES6 support, AngularJS et cetera et cetera. Well you know the song right? Not quite as Cortex 3.0.0 significantly facilitates analyzer and responder installation and updates, thanks to Docker as we touched upon in a blog post earlier this year.
As detailed in the Cortex migration guide, which we recommend you read thoroughly, you can migrate from Cortex 2 and keep using analyzers and responders the same way (using processes), use the new Docker-based analyzers and responders or mix and match between running processes and docker containers (but then, you gotta pay extra attention to configure properly which analyzer/responder runs in which fashion).
Moreover, if you use the new dockerised analyzers and responders, you will be able to choose if you want to have them autoupdated (that’s the default behaviour) and if so, pick the bleeding edge, potentially buggy versions, the minor releases or, if you are risk-averse, stick with stable ones.
Cortex 3.0.0-RC3 also adds the ability to retrieve files resulting from analyzer jobs and last but not least, corrects an information disclosure bug that allowed non-admin users to retrieve the details of other users through the API. The vulnerability was reported by Adam Maris so kudos to him!
TheHive 3.4.0-RC1 and Cortex 3.0.0-RC3 use HTTP transport (9200/tcp by default) to connect to Elasticsearch instead of its native binary protocol (9300/tcp by default).
SSL/TLS, including when using a client certificate, can be configured to connect securely to ES. However this has not been tested yet.
Support of X-Pack and Search Guard is discontinued for anything but basic and SSL client authentication, which would still work.
Caution: Performance May Take a Hit!
The parent-child relationships we use behind the scene in Elasticsearch could make queries significantly slower with ES 6 and in our limited testing, we had the impression that performance took a hit. So please be cautious there and we’d be grateful if you could report any sluggishness you notice during your tests of the new versions with ES6.
We owe you an apology. We thought we would never need to support Elasticsearch 7 or even 6. We thought we could stick with the latest version of Elasticsearch 5 as the underlying storage and indexing engine for TheHive and Cortex until we would be able to complete the transition to a graph database. Moving to such a database is a necessity for your favourite open source, free Security Incident Response Platform and its analysis and orchestration companion, a necessity that has grown out of our frustration with Elasticsearch and its limitations, with the breaking changes that ES 6 introduced which forbid a smooth transition and puts a significant toll on an open source initiative such as ours.
We initially thought we could complete the transition by October of last year and finally offer you long-desired features such as RBAC and multi-tenancy as well as establish a solid ground to implement some exciting ideas that would help you lower the barrier to entry for junior analysts, save more time and concentrate on your work instead of having to master copy/paste between various interfaces or moving from one tool to the other.
Sadly, things did not play out the way we wanted. As TheHive and Cortex were adopted by more and more organisations, feature requests kept piling up and being generous bees, we have always strived to keep our users happy within the confines of our limited resources. Certainly, our user community helped us significantly by contributing a huge number of analyzers to Cortex in no time, making the total amount fly past the 100 landmark. However, we had to rely mostly on ourselves for heavy-duty backend work while steadily releasing new versions to satisfy the appetite for capabilities that sounded reasonable and feasible within a realistic, acceptable timeframe. Multi-tenancy and RBAC also proved more complex than initially foreseen and since we hate a half-baked recipe (blame it on our French culture and our love for delicious food), we did not want to rush things out and add flimsy ‘patch’ code.
So we focused on supporting graph databases and working on multi-tenancy and RBAC. You certainly noticed our silence these past weeks. And we completely lost sight of the end of life of ES 5.6 until we realised recently that it was no longer supported by Elastic, not even in critical bug fix mode. When ES 7 was released on April 10, the death sentence of ES 5.6 was pronounced and its coffin permanently nailed.
We know this is a lot to stomach. Welcome to the Upside Down! But remember: keep calm. Help is already on the way and hopefully this time around the cops will arrive before the movie is over. We are shifting our priorities to release new major versions of TheHive and Cortex in order to use a supported version of ES. This work should take a few weeks at least. In the meantime, if you are using TheHive and Cortex with their own, standalone ES instance and you have implemented sane network security measures to shield ES against unwanted remote access, you should be fine.
We also took the opportunity to look at what other external code we rely on and that would need to be updated as well, to avoid falling in the EOL trap again. Glad we looked! The current versions of TheHive and Cortex both use AngularJS 1.5 (here, take a stone and throw it the Hulk’s way on Nabil’s forehead). We are going to update our frontends to use AngularJS 1.7.
We will come up imminently with a concrete action plan to address our embarrassing miscalculation. Meanwhile, please accept our sincere apologies and rest assured that we won’t let you down.
Few improvements have been introduced in this version :
Proofpoint analyzer has been updated to use python3 (#417)
Long report of Cuckoo Sandbox analyzer has been improved to be able to display Cuckoo v. 2.0.6 reports (#418)
URLhaus analyzer has also been updated to use the recently introduced API (#431)
On your Cortex server, update your analyzers with the following command:
$ cd /opt/Cortex-Analyzers && git pull $ for I in analyzers/*/requirements.txt; do sudo -H /usr/bin/python2 -m pip install -r $I $ for I in analyzers/*/requirements.txt; do sudo -H /usr/bin/python3 -m pip install -r $I
Updating analyzers should be followed by also updating report templates. Download new report templates and add the archive in TheHive report templates.
Thanks to @nicpenning Cuckoo analyzer is now able to display reports from version 2.0.6 of Cuckoo. With this version, remote connections part of the report has been fixed and is now well displayed
Notice: This fix has been reviewed by our core team, unfortunately, we have not been able to test it.
Abuse.ch, the operator of URLhaus recently introduced a new API for their service in order to handle bulk queries and reduce costs for their main page that uses CDNs for delivery. Because of that, thanks to Nils Kuhnert, the URLhaus analyzer has been rewritten from scratch. Also, the templates changed because there are three different API endpoints used:
The short reports now display the threat type – which currently is always malware_download and, for the hash observable type, the malware family – if given by URLhaus:
Do you know what the following set of commands achieve?
$ cd /opt/Cortex-Analyzers
$ sudo git pull
$ for I in $(find /opt/Cortex-Analyzers -name 'requirements.txt'); do sudo -H pip2 install -U -r $I; done \
&& for I in $(find /opt/Cortex-Analyzers -name 'requirements.txt'); do sudo -H pip3 install -U \
-r $I || true; done
The answer is obvious Doctor Watson, right? These highly readable commands (pun intended) allow you to update your Cortexanalyzers and responders to the latest stable versions, downloading new ones in the process, going over all the Python 2 and Python 3 dependencies to install the missing ones and upgrade the old ones to make sure they work correctly. These operations take quite a long time and cause some headaches in the process (Hello, I have Python 3.X and this dependency is no longer required, or Hi, I have an old version of Python 2 and it seems I need this other dependency).
And if you are lucky enough to get it running smoothly, you are still not done as you need to log in to the Cortex UI as an organisation administrator (unlike TheHive, Cortex supports multi-tenancy), click on the Refresh analyzers button under Organization > Analyzers then go to Organization > Responders and click on Refresh responders.
So while the answer to the opening question might be simple, updating analyzers and responders is far from being straightforward, to say the least, even if we forget the ugly fact that both are stored in a repository “conveniently” named Cortex-Analyzers*:
thehive@thehive-training:/opt/Cortex-Analyzers$ ls -d a* r*
Unnecessary Complexity Must Die
Your lovely, hard-working bees hate unnecessary complexity. Our project’s front page blatantly states our mission to bring Security Incident Response to the masses. And we have to stand by our words even if TheHive and Cortex are free, open source solutions and we do not gain anything from them save for the huge satisfaction of helping our fellow incident handlers level the fight against cybercriminals & all kinds of other animals of the APT (Advanced Persistent Troll Threat) bestiary.
There is only one possible solution: simplify the installation and update process of the current, official 115 analyzers and responders we have as of this writing, the future ones and any private or unofficial ones written in other programming languages such as those developed in Go by Rosetelecom-CERT.
Docker all the Things!
Starting from Cortex 3.0, the next major release of your favourite analysis and active response engine, all analyzers and responders will be dockerized. It will no longer be necessary to install them along with their various dependencies. They will be dowloaded from our cortexengine Docker organisation. Sysadmins might also configure automatic updates.
As a side advantage of using Docker, analyzers, and responders will also be isolated from each other which gives more flexibility and possibilities.
For those users who have private, custom analyzers and responders that they don’t want or can’t share with the community, several options will be available:
Continue managing their analyzers and responders in the same way as currently supported by Cortex 2 (i.e. launch them as processes, with no isolation whatsoever).
Dockerize them and store them locally on their Cortex instance.
Dockerize them and publish them on a Docker registry, either the official one or a private registry.
A Docker image of Cortex 3 will still be provided. It will contain a Docker engine to launch dockerized analyzers and responders using DIND (Docker in Docker).
It won’t be necessary to modify the code of the current, official analyzers and responders. A drone job will monitor the analyzer and responder repository and automatically build docker images when it detects changes.
The Cortex Web interface will be slightly modified to accommodate the whole process and allow adding in-house/private Certificate Authorities to allow Cortex to smoothly perform updates in those corporate environments where TLS/SSL inspection is enabled.
Nice Movie Trailer. When is it Coming to a Theatre near me?
We are working hard to get Cortex 3 out of the oven in Q1 (of this year, yes). We will reach out to you, dear reader, in due time, to help us test it and refine it before putting it on the digital shelf for free, as usual. We will provide a smooth migration path in order to move safely your current analyzers and responders and their configuration to Cortex 3.
The success of TheHive and Cortex continue to grow, far more than we initially foresaw. As far as we know, there are about a hundred organisations of different sizes and locations using or testing them. And as the number of users grows, so does the number of features, professional service and support requests.
We have tried addressing these requests through Creative Source, a nonprofit organisation (NPO). All but one company trusted us enough to make a donation and get tailored services for its needs in return. Most of the others either did not reply to our proposals or explained that their procurement process does not accommodate working with NPOs.
Some members of our core team are actively working on alternative options to ensure not only the viability of TheHive and Cortex as FOSS products on the long run but the ability to provide professional training, support, and services without freaking out highly bureaucratic, think-in-the-box-but-never-outside procurement departments.
Stay tuned 🐝
— (*) When the idea behind Cortex was born into our hive mind, we did not initially think about active response capabilities. So we naturally called the repository which was supposed to contain analyzers Cortex-Analyzers . When, at a later stage, we added responders, we put them in the same repository for obvious laziness pretences ¯\_(ツ)_/¯.
Correction: February 15, 2019 Typographical errors have been corrected. Some rewording has been made for the sake of clarity.
We urge our fellow fighters of cybercrime and funny and not-so-funny animals-in-disguise, to update their Cortex analyzers to the latest 1.15.2 version which plugs a serious vulnerability in the Unshortenlink analyzer and fixes several bugs.
On Jan 24, Alexandre Basquin discovered a SSRF vulnerability in the Unshortenlink 1.0 analyzer. By exploiting it, an attacker which has access to a Cortex instance with an analyze role can scan the ports of localhost and possibly of all the hosts reachable by Cortex. This could be automated through Cortex4py by making repetitive calls to the API and thus scanning multiple ports & hosts. In essence, the attacker can perform reconnaissance thanks to Unshortenlink and gain knowledge on which ports are open and which aren’t.
Version 1.1 of Unshortenlink, included in Cortex-Analyzers 1.15.2, plugs this vulnerability by disabling submissions containing IPs & ports. Only URLs are now accepted.
Additionally, Cortex-Analyzers 1.15.2 corrects the following bugs:
#416: the Mailer responder now supports UTF-8 encoding.
#410: remove wrapping of the results produced by crt.sh as a list which ends up breaking the output of the report template. Contributed by Thomas Kastner.
#409: enum is not required for Python 3.4+ to make the MISP Search analyzer work.
#408: FileInfo’s Manalyze plugin did not work after Manalyze renamed plugin_btcaddress to plugin_cryptoaddress.
#406: fix a broken link in the Cymon_Check_IP report, submitted by Manabu Niseki.
click on Import templates button and select the downloaded package
Wait a Minute! Where’s the Blog Post about 1.15.1?
Good catch! There was no blog post about Cortex-Analyzers 1.15.1. Call us lazy but there was nothing Earth-shattering, pole-shifting in that release. Nonetheless, here are a list of fixes included in that release and from which you’ll inherit automatically if you update 1.15.0 to 1.15.2 directly:
#402: Malwares analyzer code relied on functionality that’s only available in Python 3.7+. It has been fixed to work with 3.4 and up thanks to the work of Arcuri Davide.
#404: fixes a bad folder renaming in the HIBP (Have I Been Pwned) analyzer.
#398: MISP Search analyzer wouldn’t run without the enum dependency. Contributed by Mars Huang. Later improved in 1.15.2 (see above).
TheHive Project’s code Chefs are happy to announce the immediate availability of Cortex 2.1.3, a hotfix for your favorite observable and response engine, fresh out of the oven!
We highly recommend that you upgrade your existing installation to this new version as soon as feasible as it plugs a significant security vulnerability, kindly reported by Po-Hsing Wu. The vulnerability is a privilege escalation one which allows an orgadmin to create a superadmin user. The culprit has been punished by having to chant Perl mantras while doing a handstand on burning coals.
Source : XKCD
Additionally, Cortex 2.1.3 fixes the following bugs:
#152: enforce PAP when launching an analyzer from the Cortex Web UI
#147: add dig to the Cortex docker image as the SinkDB analyzer needs it
#146: the Cortex job list must display the PAP value
#145: fix the broken Web UI’s search function for job history
Pardon my French but do you speak English?
Something does not work as expected? You have troubles installing or upgrading? Spotted new bugs? No worries, please open issues on GitHub or comment on existing ones, join our user forum, contact us on Gitter, or send us an email at email@example.com. We are here to help.
Datascan and Inetnum flavors in Onyphe analyzer by Pierre Baudry and Adrien Barchapt
Again, huge thanks for the awesome work that has been performed by all our contributors!
Cisco Umbrella Investigate provides threat intelligence about domains and IP addresses accross the Internet. The analyzer can be used to query the Cisco Umbrella (formerly OpenDNS) API and get information about an IP or a domain name. An API key is required to use this analyzer.
Results are displayed in TheHive in the following manner:
Proofpoint Forensics Lookup
According to Proofpoint’s website, the Forensics API allows insight in detailed forensic evidences about individual threats or compaigns. The analyzer can be used to check observables against given indicators of compromise stored in the ProofPoint service.
Unfortunately, there are currently no sample report screenshots available, because TheHive’s Core Team does not have access to Proofpoint services. Also, due to the same reason, this analyzer could not be tested by us. If you have access to the service and can test the analyzer and/or provide report screenshots, please let us know.
This analyzer lets you get the latest risk data from RecordedFuture for a hash, domain or an IP address. It can be used to query the API and get information. An API key is required to use this analyzer.
Results are displayed in TheHive in the following manner:
Urlscan.io is a service that scans and analyzes websites. Submitted pages will be browsed like a regular user would do and every activity gets recorded. The analyzer submitted by ninoseki queries urlscan without initiating a scan which would be publicly visible on the website. Accepted datatypes for this analyzer are URL, domain, hash and IP.
The templates which display the results of the analyzer look like the following screenshots:
Google DNS over HTTP
This analyzer provides DNS information for an IP, a domain or a FQDN by making calls to Google DNS-over-HTTP (DoH). No API key is required.
Results are displayed in TheHive in the following manner:
RTF files support in FileInfo
The FileInfo meta analyzer has been improved and now leverages the rtfobj tool provided in the Oletools suite by Decalage.
Results are displayed in TheHive in the following manner:
Datascan and Inetnum flavors in Onyphe analyzer
The Onyphe analyzer has been enhanced with two new flavors. Datascan provides information about known open ports on a specific IP, and Inetnum enumerates all known network information about the analyzed IP address.
An API key is required to use the analyzer and can be obtained by creating an account on the Onyphe website.
Results are displayed in TheHive in the following manner:
Bug fixes and enhancements
#248: Improve error msg when VT Get Report does not have an entry for
#323: Fix an issue with HybridAnalysis analyzer filenames handler
#362: Fix file not found issue and empty result set in CERT.at passive DNS analyzer
Get It While Supply Lasts!
Each analyzer comes with its own, pip compatible requirements.txt file. To update your Cortex analyzers to 1.14.0, run the following commands:
for I in analyzers/*/requirements.txt; do sudo -H pip2 install -U -r $I || true; done && \
for I in analyzers/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done
We could not leave for the week-end without issuing a minor release or two so here we go.
Starting from TheHive 3.0.1, an administrator has the ability to configure Cortex job polling by defining the time between two polls thanks to the cortex.refreshDelay parameter as well as the number of consecutive failures before giving up (via cortex.MaxRetryOnError). However, these settings prevent the service from starting correctly. TheHive 3.1.2 corrects this issue.
When running a job in Cortex with the exact same details, the function findSimilarJob is called. It should return results from any previous jobs, but in the latest versions (2.1.0, 2.1.1) it does not because of a change that went past our QA.
In a similar fashion, the GUI search function was broken. Cortex 2.1.2 fixes both issues.
Excuse my French but I Need Help
Keep calm. We speak French. So if you encounter any difficulty to update TheHive or Cortex, please join our user forum, contact us on Gitter, or send us an email at firstname.lastname@example.org. We are always ready to help as does our user community.