loader

SOARing with TheHive

Introduction

SOAR stands for Security Orchestration, Automation and Response, referring to a solution that is used in the threat landscape to better monitor and respond to incidents detected by Security Monitoring tools and technologies. With the evolution of better technologies to detect malicious activities, most organisations are shifting towards the SOAR to utilise automation to efficiently analyse, escalate and respond to security threats.

Detection:

Security Operations Centres also called SOCs have systems in place to monitor and secure their critical assets. These systems have complex rules in addition to state of the art machine learning algorithms continuously running to detect any activities which could be classified as malicious. Once the detection happens the next step is to send the information to a SOC for a security analyst to investigate. This information is usually sent in as an Alert. The SOC team then tries to resolve the alert within a fixed period of time according to SLA(Service Level Agreements).

Analysis:

The security analyst will analyse the Alerts for validating potential attacks, determining what actually happened as well as assessing the impact of incidents. Based on this the Security Operations team may perform a response action to mitigate the threat actor.

“If an analyst attempts to prove an alert is valid, they take two thirds more time than if they try to prove that it is invalid.”

Chris Senders – Investigation Theory

Respond:

Usually, the Security Analyst would have to perform some tasks in resolving the alert. Some of these tasks are highly complex and require cybersecurity expertise to perform. However security analysts also come across mundane and repetitive tasks. When the analysts are exposed to a large number of alerts with the same or repetitive tasks they tend to suffer from alert fatigue which can lead to reduced performance and longer response time. This is where SOAR comes to the rescue!

SOAR:

SOAR emphasises automation to help the Security team increase their bandwidth to focus on resolving security issues. Similar to an analyst receiving an Alert, the SOAR solution would also receive an Alert and perform some analysis on it. Based on the analysis result there would be a response action to mitigate the threat actor.

TheHive – Security Incident Response for the Masses

TheHive is a scalable 4-in-1 open-source and free Security Incident Response Platform. The 4 are TheHive, Cortex, TheHive4py (a python API for TheHive), and MISP. TheHive is designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly. In simple terms, TheHive acts as a front end application to the SOC to aid in the three fundamental phases (Detection, Analysis and Response) as well as the case/alert management from creation to closure.

Cortex – Powerful Observable Analysis & Response 

Cortex is another software that was created by the same team as TheHive and works closely with TheHive. TheHive and Cortex could be used together to make life in a SOC much easier. In such a solution, any Indicator of Compromise (IoC) or pieces of forensic data that could help in mitigating threat actors are classified as an observable. Cortex is a powerful Observable Analysis & active Response Engine. It has analyzers which help in the analysis of these observables. The Analysers also help in enriching the alerts on TheHive with valuable information. Using this valuable information analysts could then run Responders available on Cortex for easy and automated resoluiton of the security alert.

Cortex provides a web interface for the analysis of observables such as IP, email addresses, URLs, domain names, files or malware hashes. However, rather than switching between web interfaces, these two applications can be integrated to communicate using REST API. Cortex has analysers and responders in place to aid automation for Security Operations. These analysers and responders are automation scripts that could be written in any programming language supported by Linux such as Python, Ruby, Perl, etc.. At the time of writing this blog post, there are about 160 Analysers and 24 Responders that come with the default installation of Cortex. However, one could opt to write their own Analyser and Responder and place it in the specified directory to be used by Cortex.

TheHive & Cortex is fully developed and maintained by StrangeBee.

MISP – Open-Source Threat Intel Sharing

MISP or Malware Information Sharing Platform is an open-source software solution for collecting, storing, distributing and sharing cybersecurity indicators and threats about cybersecurity incidents and malware analysis. This has been developed and maintained by CIRCL. Apart from the many uses of MISP one of the main uses which this solution could leverage is the subscription to many of the open-source threat intel feeds. The true power of TheHive can be seen when it is integrated with Cortex and MISP. All these 3 tools work hand in hand to form a comprehensive solution for Incident Analysis/Response and Case Management in a Security Operation Centre. 

Every security event which has to be investigated comes into TheHive as an alert. MISP has some world-class threat intel feeds which an analyst or a Security team can subscribe to. So whenever there is some information about a new threat added to MISP it would automatically be populated onto TheHive for triaging, analysis and response. Also apart from ingesting events from MISP, the solution could also be configured to send events to MISP. So a SOC can contribute information about a discovered threat back into MISP to help the wider community stay one step ahead of the hackers.

A picture is better than a thousand words!

Playbooks – Workflow Automation 

In the world of Security Operations, analysts would be working on resolving very complex security alerts. The majority of these tasks are very complex and require security expertise. However, some tasks could be mundane and time consuming for a security expert to look into every piece of information generated. With tasks like this, there is a higher chance of human error and this is where automation can help. Automation aims to reduce human intervention and the possibility of human errors. 

In the previous sections, we’ve seen how the power of open-source tools can be leveraged to create a unique solution for the SOC. The next step is to add an extra layer that would help in automatically performing some mundane and repetitive tasks to increase efficiency in cybersecurity teams.

TheHive and Cortex have APIs for external tools to leverage their capabilities. TheHive has a webhook capability which enables it to notify other tools with an occurrence of any change or event. These powerful features enable automation.

Playbooks:

A playbook is a series of steps that should be performed in a specific fashion on the occurrence of any event.

Automation:

Security Analysts can design and develop playbooks to automate security alert analysis and response. With the API and Webhook capability available in TheHive and Cortex, their functionality would be leveraged through any workflow automation tool for creating these playbooks. 

At the time of writing this blog post, there are a few tools used by the open-source community. Some of them include n8n, nodered, shuffle and tines

A sample playbook from n8n would look like this.

 

Image by Nabil Adouani via n8n-Community

Conclusion

We have seen how to build a fully automated and free SOAR solution using open-source tools. The beauty of using open-source tools is that they can be easily modified by developers to address your requirements. Furthermore, there is an open-source community using, improving and supporting these tools. 

And because this solution is open-source and flexible; it means it can be integrated with other solutions. One of the most valuable integrations would be with Elastic SIEM. Elastic SIEM provides an enhanced and simplified solution to Extract, Transform and Load (ETL) log and machine data from all devices to Elasticsearch (the heart of the Elastic stack). Elastic can then use parsing and enrichment techniques for adding metadata and use state-of-the-art Machine Learning (ML) for enhanced threat analytics and malicious behaviour detection. A detection can be sent to TheHive as an alert with the possibility of a fully-automated solution taking care of the alert through to closure. Read more about the topic in our Using Elasticsearch to Trigger Alerts in TheHive blog post.

If you are interested in knowing more about how SkilledField can help your Security Operations stay miles ahead of hackers and threat actors, reach out to us. Using our services your organisation could save millions of dollars on data breach fines.

Written by: Sohail Sankanur