Cortex 101: Dissecting Observables a Hundred Ways

TheHive Project’s Code Chefs are glad to announce that, thanks to the precious contributions of the user community, Cortex has broken the one hundred analyzer mark.

Cortex-Analyzers version 1.14.0 is out and includes new analyzers, some improvements and some bug fixes.

New Analyzers

New and enhanced analyzers, described below, are:

  • Cisco Investigate by Cisco Umbrella Research @opendns
  • Proofpoint Forensics Lookup by Emmanuel Torquato
  • Proofpoint Threat Insight Forensics Analyzer by Emmanuel Torquato
  • RecordedFuture by jojoob
  • urlscan.io search by ninoseki
  • Google DNS over HTTP by 0xswitch
  • RTF files support in FileInfo by Nils Kuhnert
  • Datascan and Inetnum flavors in Onyphe analyzer by Pierre Baudry and Adrien Barchapt

Again, huge thanks for the awesome work that has been performed by all our contributors!

Investigate

Cisco Umbrella Investigate provides threat intelligence about domains and IP addresses accross the Internet. The analyzer can be used to query the Cisco Umbrella (formerly OpenDNS) API and get information about an IP or a domain name. An API key is required to use this analyzer.

Results are displayed in TheHive in the following manner:

sc-investigate-short

sc-investigate-long
Cisco Investigate: short and long reports

Proofpoint Forensics Lookup

According to Proofpoint’s website, the Forensics API allows insight in detailed forensic evidences about individual threats or compaigns. The analyzer can be used to check observables against given indicators of compromise stored in the ProofPoint service.

Unfortunately, there are currently no sample report screenshots available, because TheHive’s Core Team does not have access to Proofpoint services. Also, due to the same reason, this analyzer could not be tested by us. If you have access to the service and can test the analyzer and/or provide report screenshots, please let us know.

RecordedFuture

This analyzer lets you get the latest risk data from RecordedFuture for a hash, domain or an IP address. It can be used to query the API and get information. An API key is required to use this analyzer.

Results are displayed in TheHive in the following manner:

sc-recordedfuture-short

sc-recordedfuture-long
RecordedFuture: short and long reports

Urlscan.io search

Urlscan.io is a service that scans and analyzes websites. Submitted pages will be browsed like a regular user would do and every activity gets recorded. The analyzer submitted by ninoseki queries urlscan without initiating a scan which would be publicly visible on the website. Accepted datatypes for this analyzer are URL, domain, hash and IP.

The templates which display the results of the analyzer look like the following screenshots:

Screenshot from 2018-10-25 09-55-34

Screenshot from 2018-10-25 09-48-58
Urlscan.io: short and long reports

Google DNS over HTTP

This analyzer provides DNS information for an IP, a domain or a FQDN by making calls to Google DNS-over-HTTP (DoH). No API key is required.

Results are displayed in TheHive in the following manner:sc-googleDNS-short

sc-googleDNS-long
Google DNS: short and long reports

RTF files support in FileInfo

The FileInfo meta analyzer has been improved and now leverages the rtfobj tool provided in the Oletools suite by Decalage.

Results are displayed in TheHive in the following manner:

sc-fileinfo_RTF-short

sc-rtfobj-long
FileInfo with rtfobj: short and long reports

Datascan and Inetnum flavors in Onyphe analyzer

The Onyphe analyzer has been enhanced with two new flavors. Datascan provides information about known open ports on a specific IP, and Inetnum enumerates all known network information about the analyzed IP address.

An API key is required to use the analyzer and can be obtained by creating an account on the Onyphe website.

Results are displayed in TheHive in the following manner:

sc-onyphe-inetnum-short

sc-onyphe_inetnum-long
Onyphe  Inetnum: short and long reports

sc-onyphe_datascan-short

sc-onyphe_datascan-long
Onyphe Datascan: long and short reports

Bug fixes and enhancements

  • #248: Improve error msg when VT Get Report does not have an entry for
  • #323: Fix an issue with HybridAnalysis analyzer filenames handler
  • #329: Enhance PassiveTotal Passive DNS report
  • #348: Fix a typo in URLhaus’s long.html
  • #356 : Force the use of Python3 in MISP analyzer
  • #362: Fix file not found issue and empty result set in CERT.at passive DNS analyzer

Get It While Supply Lasts!

Each analyzer comes with its own, pip compatible requirements.txt file. To update your Cortex analyzers to 1.14.0, run the following commands:

cd path/to/Cortex-Analyzers
git pull
for I in analyzers/*/requirements.txt; do sudo -H pip2 install -U -r $I || true; done && \
for I in analyzers/*/requirements.txt; do sudo -H pip3 install -U -r $I || true; done

Once done, do not forget to login to Cortex as an orgadmin and click on the Refresh Analyzers button. Refer to the online Cortex documentation for further details.

Update TheHive Report Templates

If you are using TheHive, get the latest version of  the report templates and import them into TheHive.

Running Into Trouble?

Shall you encounter any difficulty, please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!

TheHive 3.1.2 & Cortex 2.1.2 Released

We could not leave for the week-end without issuing a minor release or two so here we go.

TheHive 3.1.2

Starting from TheHive 3.0.1, an administrator has the ability to configure Cortex job polling by defining the time between two polls thanks to the cortex.refreshDelay parameter as well as the number of consecutive failures before giving up (via cortex.MaxRetryOnError). However, these settings prevent the service from starting correctly. TheHive 3.1.2 corrects this issue.

Cortex 2.1.2

When running a job in Cortex with the exact same details, the function findSimilarJob is called. It should return results from any previous jobs, but in the latest versions (2.1.0, 2.1.1) it does not because of a change that went past our QA.

In a similar fashion, the GUI search function was broken. Cortex 2.1.2 fixes both issues.

Excuse my French but I Need Help

Keep calm. We speak French. So if you encounter any difficulty to update TheHive or Cortex, please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are always ready to help as does our user community.

How to Cruise Ocean Threat Without Sinking Using TheHive 3.1 & Cortex 2.1

Paris, France. The Sun is shining on the city of lights and temperatures are quite high, even for the summer season. Life is good. As a matter of fact, life is excellent.

TheHive Master Cooks are about to go on vacation for a few weeks. But before they pack up their Patagonia bags and leave the sandy beaches for those who enjoy them, preferring mountains, trails, walking and breathing fresh air with family and friends, they would like to make a significant contribution to help TheHive and Cortex users fight cyberattacks even better than they already do. And maybe convince those who don’t that free, open source software is not a joke or a geek fad.

We’d like to welcome to the stage our latest babies, which we are really proud of: TheHive 3.1 and Cortex 2.1, the new versions of the power duo which make digital forensics, incident response and, to an extent, cyber threat intelligence, better, faster, happier, regular exercising (well you know the Radiohead song so we’ll let you continue singing along) since early 2017.

While our project might seem very young, it is not. We’ve been working steadily on TheHive, using it (i.e. eating our own dog food) since early 2014 before releasing it at the end of 2016 once we were satisfied with it, as a token of gratitude to a community that helped us due our jobs in various ways. We then extracted what has become Cortex from its core to ship it as a separate product in February 2017. And we kept improving them at a steady piece for the collective benefit of incident responders, forensicators and threat analysts. And adoption has been rather spectacular. Thanks to all of our users for their love and support!

We believe we are at a moment where people could not brush us off anymore as amateurs. Try TheHive and Cortex, preferably with MISP and get a taste of what professional, free and open source software can be.

TheHive 3.1 and Cortex 2.1 are feature-packed and we won’t be able to cover them all in detail in a single blog post. Rather, we’d like to concentrate on a few important ones.

Stable, Pre-release Channels and New Repositories

We’d like to point out that, in order to improve our release process and given the number of features that we added, TheHive 3.1 and Cortex 2.1 are release candidates at this stage. So we encourage you to test them and report back any bugs or issues you encounter so we can address them and make the final releases as rock-solid as possible.

We have now two release channels: a stable one that should be used for production systems and a pre-release channel that should be used to try the release candidates such as TheHive 3.1-RC1 and Cortex 2.1-RC1, the subjects of this blog post, and help us iron out bugs before adding them to the stable channel. Those who love living on the bleeding edge may be tempted by running the release candidates on their production environment given all the candy and icing we added. They are at liberty of doing so but we don’t want to hear anyone one whining about an RC that broke everything and asking for their money back grin.

We also moved our package and binary repositories to https://bintray.com/thehive-project and Docker images are now under thehiveproject.

Please check TheHive Installation and Cortex Installation guides for further details.

MISP with a Purpose

In previous releases of TheHive, whenever you configured a MISP instance, it was used to import events from and export cases to. Starting from TheHive 3.1.0, we added a purpose to the configuration file. By default, any added MISP instance will be used for import and export (ImportAndExport). However you can configure it to be used for importing events only (ImportOnly) or exporting cases only (ExportOnly).

Extended Events

When an analyst attempts to update a MISP event on which the account used by TheHive to connect to the MISP instance is not part of the original author’s organization, previous versions of TheHive will display a you do not have permission to do that error produced by MISP. Starting from TheHive 3.1, analysts have the ability to create a MISP extended event.

Task Grouping

Case tasks can now be associated with task groups. For example, you could create groups called Identification and Malware Analysis, Containment and Communication and add tasks to them. Of course, this new feature can be used when designing case templates as well.

Import Observables from Analyzer Output

If analyzers produce a set of artifacts in their output (which is the case of several existing ones), TheHive will give you the ability to select those artifacts very easily and add them to your case as observables.

ZIP File Upload

Austin Haigh contributed an important feature which will allow analysts to directly import password-protected ZIP files into a case. The code uses the supplied password when adding the archive to extract its contents and add them one by one to the existing set of observables. This is highly practical when you want to add suspicious files without risking an accidental click which would compromise your endpoint or having to unzip archives containing such files first then add them one by one to TheHive.

Revamped Search Page

The search page has been completely revamped as shown in the screenshot below:

41841154-d8d8fa5c-7867-11e8-8837-2a12a06a52a7.png
The New Search Page

You can now select your search scope (cases, tasks, observables, alerts, analyser reports a.k.a. jobs or even the audit logs), apply filters and search TheHive without having to resort to complex, mind numbing Lucene syntax.

Responders and PAP

Last but not least, TheHive and Cortex offer you response capabilities (i.e. perform an action depending on the context) thanks to a new breed of programs called … wait for it … wait for it … responders. TADA!

Responders are very similar to analyzers. In fact we’ve taken the concept and extended it to apply to different elements in TheHive: alerts, cases, tasks, task logs, and observables of course.

mailer_activeResponse.png
Responders in Action

You can reuse almost the same principles that apply to analyzers to write your own responders and if you are feeling generous, contribute them to the community. To give you a head start, we published a sample Mailer responder which, when customized for your environment, should allow you to send emails to inform your fellow analysts that a case has been created and that their help is required. Another example could be the ability to respond to a suspicious email report from a user, which is displayed as an alert, that they can safely ignore the corresponding email.

Like an analyzer, a responder can have two or more service interaction files (or flavors) to allow it to perform different actions. For example, a Mailer responder can send messages using several body templates.

Thanks to our long-time friend Andras Iklody from MISP Project who brought that to our attention, responders (and analyzers starting from Cortex 2.1) support PAP, the Permissible Actions Protocol.

Running into Troubles?

Something does not work as expected? You have troubles installing or upgrading? Spotted new bugs? No worries, please open issues on GitHub or comment on existing ones, join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

 

 

 

Keep Them Coming: Hashdd, URLhaus & a Revamped FileInfo analyzer

We are happy to announce the immediate availability of a new major version of Cortex-Analyzers. Version 1.11.0 includes two brand new analyzers, several updates and a few bug fixes:

  • Hashdd, contributed by  iosonogio
  • URLhaus, contributed by  ninoseki
  • The Domaintools analyzer has been updated with two new flavors: Risk and Reputation
  • The VirusTotal analyzer can (finally!) get reports for URL observables
  • MsgParser and File_Info have been merged in a new, shiny, completely rewritten FileInfo analyzer

As we are approaching the 90 analyzers mark, we wholeheartedly thank our user community for continuously contributing new analyzers, testing them and helping us improve the existing ones.

Important Notice

We made significant changes in this release in the analyzers and short reports. Prior to Cortex-Analyzers 1.11.0, the summary() function in the analyzer code generates a result such as:

"taxonomies": [{
     "level": "suspicious",
     "namespace": "DT",
     "predicate": "Risk",
     "value": "\"10\""
 }]

Double quotes were included in the resulting value. We decided to update the summary() function and make it generate the same result without double quotes :

"taxonomies": [{
     "level": "suspicious",
     "namespace": "DT",
     "predicate": "Risk",
     "value": "10"
 }]

To display the double quotes in TheHive, we updated all short reports to include them:

<span class="label" ng-repeat="t in content.taxonomies" ng-class="{'info': 'label-info', 'safe': 'label-success', 'suspicious': 'label-warning', 'malicious':'label-danger'}[t.level]">
     {{t.namespace}}:{{t.predicate}}="{{t.value}}"
</span>

Hashdd

hashdd.com is a search engine for file hashes which automatically queries 3rd party services like VirusTotal and enriches the information provided based on the 3rd party data. The analyzer includes two flavors: Status and Detail. The first one is used to query hashdd without an API key for the threat level only. The latter produces additional meta information about the sample, but requires an API key.

Results are displayed in TheHive in the following manner:

Hashdd short report

Hashdd status long report

Hashdd detail long report
hashdd — short and long report samples

URLhaus

URLhaus, a service that shares the latest malware download URLs and reports those sites to their respective hosting companies, can now be queried for domains, URLs and hashes. If the observable is found, available information will be displayed as follows:

URLhaus short report

URLhaus long report
URLhaus – short and long report samples

Domaintools Risk and Reputation

New Risk and Reputation services from Domaintools have been added as new flavors to the existing Domaintools analyzer set.

Risk Evidence

The DomainTools Risk Score predicts the risk level and likely threats from a domain that has not been observed in malicious activities, by analyzing various properties of the domain as soon as it is registered.

sc-DTrisk-short

sc-DTrisk-long
Domaintools Risk Evidence – short and long report

Reputation

The Domaintools Reputation Score gives indications about how closely a domain is related to known bad domains, actors, and IPs.

sc-DTReputation-short

sc-DTReputation-long
Domaintools Reputation – short and long report samples

An All New FileInfo

FileInfo performs local static analysis of file observables. It has been completely rewritten from the ground up to be more flexible thus it can easily be enriched with new supported file types and analysis modules. We took this opportunity to merge MsgParser, in charge of extracting and displaying Outlook emails into FileInfo.

As of this release, FileInfo now supports PDF, PE, MS Office documents and Outlook .msg files. We also added support for DDE detection and link extraction in MS Office documents, thanks to Decalage who added this in Oletools since v0.52.

sc-FileInfo-short

sc-FileInfo-long2
FileInfo – short and long report samples

Bug fixes

  • #286 : we updated the way MISP analyzer validates its SSL configuration

  • #292 : we fixed the API URL of malwares.com in the Malwares analyzer

Get It While Supply Lasts!

Each analyzer comes with its own, pip compatible requirements.txt file. To update your Cortex analyzers to 1.11.0, run the following commands:

cd path/to/Cortex-Analyzers
git pull
for I in analyzers/*/requirements.txt; do sudo -H pip2 install -r $I; done && \
for I in analyzers/*/requirements.txt; do sudo -H pip3 install -r $I || true; done

Once done, do not forget to login to Cortex as an orgadmin and click on the Refresh Analyzers button.

Update TheHive Report Templates

If you are using TheHive, get the latest version of  the report templates and import them into TheHive.

Running Into Trouble?

Shall you encounter any difficulty, please join our  user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We will be more than happy to help!

Cerana 0.2: X-Pack Auth, Multi-source Dashboards

TheHive Chefs are happy to announce the immediate availability of their latest recipe: Cerana 0.2 (a.k.a. TheHive 3.0.2).

While TheHive 3.0.0 brought you dynamic dashboards among other niceties, the latest (and, of course, the greatest) version of your Mom’s favourite Security Incident Response Platform fixes a bug spotted by our longtime supporter Megan Roddie (merci !). Indeed, Nabil was running low on coffee so he didn’t make the necessary changes to support the new sighted toggle introduced by Cerana for file observables.

Cerana 0.2 also adds X-Pack authentication for Elasticsearch, a feature contributed by srilumpa. Thanks! To enable this functionality, and assuming the X-Pack plugin for Elasticsearch is installed, add the following section to /etc/thehive/application.conf:

search.username = "jessica"​​​​​

​search.password = "drink-beat-repeat"

Last but not least, we decided to make dynamic dashboards even more powerful. You can now create new graphs that support multiple series from multiple entities (or sources).

multiline2
Multi-line Dashboards Example — Number of IOCs imported from MISP vs. those imported from other sources

As Christmas is approaching, go ahead and play with dynamic dashboards to impress your management as soon as 2018 rears its head or truly drive your CTI and DFIR activities and plan well ahead how you should improve automation or collaboration (or beg for additional headcount).

multiline1.png
Multi-line Dashboards Example — How to create one

Ain’t that nifty? Who said bees aren’t nice? Joyeux Noël !

 

Feeling Generous? Donate!

As you know, we are a FOSS project and donations are always welcome to make our products even better for the community.

All donations go to Creative Source, the non-profit organization we have created, and we will use them to improve TheHive, Cortex & Hippocampe but also to develop (even better) integrations with other FOSS solutions such as MISP.

So if you are feeling generous, contact us at support@thehive-project.org. Of course the funds may also be used to keep Nabil happy by providing a steady flow of caffeine. 😉

Creative Source can also provide so-called professional, entreprise-grade support, help integrating the products, train your analysts before they drain or assist you in specific areas such as developing in-house analyzers for Cortex.

Download & Get Down to Work

If you have an existing installation of TheHive, please follow the migration guide.

If you are performing a fresh installation, read the installation guide corresponding to your needs and enjoy. Please note that you can install TheHive using an RPM or DEB package, use Docker, install it from a binary or build it from sources.

Support

Something does not work as expected? You have troubles installing or upgrading? No worries, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.

Cerana: a Sneak Peek

Initially planned for Nov 17, 2017, Cerana, the next major release of TheHive, is delayed by a few days for three reasons: fixing a few minor but nonetheless irking bugs, quality assurance, and adding small but nice features that would have otherwise required a new database migration a short while after performing one during the upgrade to this new version.

The new release date for Cerana (TheHive 3.0.0) is Dec 5, 2017, the same day we’ll have our second joint workshop with the fine people of the MISP Project during the Botconf conference in Montpellier, France (food, wine, sightseeing… well you get the picture).

If we should mention a single major Cerana feature to convince you to install it or take it for a spin, that would be dynamic dashboards, with no hesitation.

While it was enough for a start, the Statistics module doesn’t take advantage of the underlying Elasticsearch storage and the many ways we can play with all the data that analysts keep feeding to TheHive. Not only that but what about custom fields, alerts, and so on? Enter Dynamic Dashboards.

 

alerts.jpg
Dynamic Dashboards – Alert types and sources

To put it simply, Cerana will allow you to analyze TheHive data (almost) any way you want and chart it using different options: how many alerts of a certain type have been received during a given period? Over all the cases that are recorded within TheHive, how many observables with a specific tag and flagged as IOCs are there? …

 

Dashboards can be private to an analyst, shared with fellow TheHive users, imported from another instance and exported. By adding the import/export feature, we hope to foster sharing within TheHive community where teams would impart useful dashboards to their peers. Graphs can also be saved as images to add to reports.

observable_sources
Dynamic Dashboards – Sources of observables

To alleviate upgrades, Cerana will come with a few dashboards out of the box to mimic the Statistics module hence you won’t lose existing functionality when you make the move. At this stage, we’d like to remind you that we only support the current release and the previous one. When Cerana will be published, we’ll obviously support it (genius, n’est-ce pas ?) as well as Mellifera 2.13.2. Nothing else.

cases.png
Dynamic Dashboards – Case status, resolution and impact

Cerana will also give you the ability to import and export case templates, a feature that has been requested by our growing user base. This could be a first step towards a global repository where case templates can be shared, refined and created according to common standards, regulations or compliance requirements. Think LPM in France, NIS in Europe, GDPR, etc. Case templates will also be improved to contain default metrics values if needed and automatically assign tasks to given analysts.

Another addition worth mentioning is the sighted flag for IOCs. When an analyst flags an observable as IOC and as sighted, it means that observable is not simply something coming from a sandbox analysis (think C2) or from a 3rd party but was confirmed as being used by a threat actor in your network. In a later release, exporting cases to MISP instances will make use of this new flag to feed MISP attribute sightings. The sighted value will also be used in the future to improve alert previewing.

Last but not least, Cerana will supervise the ‘health’ of the Cortex and MISP instances it is integrated with. The Cortex and MISP logos at the bottom right corner of TheHive UI appear when integration with those products is enabled. They will also have a coloured circle to indicate health:

  • Green: TheHive can reach all of the configured Cortex/MISP instances.
  • Orange: TheHive cannot reach all of them.
  • Red: no instance can be reached.

There are other areas (the About page, the observable analysis buttons…) where the health of Cortex and/or MISP can be monitored.

Now, if you don’t mind, we have some coding to do. We’d better get back to it if we want to give you a luscious release. À bientôt !