On 10 December 2018, part of Sothis’ SOC team was at the headquarters of the British bank, HSBC, in Luxembourg, where the CIRCL headquarters is located (CERT luxemburgués). An Incident Response workshop took place there with The Hive, Cortex and MISP tools, with 50 attendees, delivered by Saâd Kadhi, one of the creators of The Hive Project and participant as a speaker at one of the most important congresses in the world, Botconf.

The Hive project is intended to facilitate analysts when it comes to dealing with security alerts as it is a tool created exclusively for the cybersecurity industry and supported mainly by the community, because it is a totally Open Source project, which has allowed it to grow enormously thanks to different collaborations and, at the same time, the support received from companies in both the private and public sectors.

Connected to The Hive is the fundamental piece that every cybersecurity analyst needs, Cortex. It is a tool that has 101 different IOC (Commitment Indicators) analysers, so the probability of it not picking up on something is almost nil.

The MISP project is a meeting point between Cortex and The Hive. It is a tool developed entirely by CIRCL, whose main commitment is to sharing, storing and correlating IOC targeted attacks, with the user community providing intelligence in investigations, through which countermeasures can be generated in order to avoid future attacks through movements similar to those suffered by the user who has contributed to the system.

At the beginning of the day the three tools were presented and it was explained how each of them fits into the operation of a CERT or SOC based on the 6 standard Incident Response processes, which are:

  • Detection and Analysis
  • Containment
  • Eradication
  • Recovery
  • Lessons Learned or Post-Incident
  • Preparation of the incident, as one of the most important steps.

Two CIRCL representatives presented the MISP tool and the value of full integration that it has with The Hive and Cortex, as well as the importance of sharing intelligence between the different European CERTS, as with these investigations, the defence of attacks that have already occurred in other centres is optimized and prioritized.

During lunch we were able to exchange views on the tools with colleagues from the industry located in the different SOC and CERT across Europe, the common denominator being the importance of possible integrations with input sources as a correlator and the facilities provided by Cortex with its analysers and the reports generated automatically for analysts. Furthermore, we had the opportunity to congratulate Saâd and his team on the great project developed, and we hope it continues in the future.

In the afternoon, they presented us with the RoadMap of the tools and the updates that will be included in the next Release before moving on to the workshop where the speaker gave us 4 different exercises.

The first one was to completely integrate the three tools by adding the CIRCL test MISP and the analysers created entirely by this organization. Once this integration had been carried out, we were asked to share research, as well as filtering by IOC within the alerts generated by the MISP itself.

The last three exercises were real scenarios: a Botnet warning, a phishing scam with a zip attached containing malicious code, as well as a generic False Positive of legitimate connections to a server located in the organization. In this way, we were presented, in a practical way, with how The Hive tool should be used correctly in the preparation of the investigations and the execution of the analysers with the TLP and PAP confidentiality indicators in order to get the most out of them.

To sum up, it was a very enriching day as we learned many new things that we took with us in order to continuously improve the cybersecurity operations centre (SOC) as well as becoming aware of the importance of sharing research, in order to contribute this cooperation to the community as it can help us to better anticipate the possible tendencies of attackers.