TheHive Project — SOC Level 1 -Digital Forensics and Incident Response — TryHackMe Walkthrough & Insights

Learn how to use TheHive, a Security Incident Response Platform, to report investigation findings

Site URL: https://tryhackme.com/r/room/thehiveproject

Task 1 Room Outline

Welcome to TheHive Project Outline!

This room will cover the foundations of using the TheHive Project, a Security Incident Response Platform.

Specifically, we will be looking at:

• What TheHive is?
• An overview of the platform’s functionalities and integrations.
• Installing TheHive for yourself.
• Navigating the UI.
• Creation of a case assessment.

Before we begin, ensure you download the attached file, as it will be needed for Task 5.

Answer the questions below

I have read the outline. Let’s proceed.

Task 2 Introduction

TheHive Project is a scalable, open-source and freely available Security Incident Response Platform, designed to assist security analysts and practitioners working in SOCs, CSIRTs and CERTs to track, investigate and act upon identified security incidents in a swift and collaborative manner.

Security Analysts can collaborate on investigations simultaneously, ensuring real-time information pertaining to new or existing cases, tasks, observables and IOCs are available to all team members.

More information about the project can be found on https://thehive-project.org/ & their GitHub Repo.

Image: Cases dashboard on TheHive by order of reported severity

TheHive Project operates under the guide of three core functions:

• Collaborate: Multiple analysts from one organisation can work together on the same case simultaneously. Through its live stream capabilities, everyone can keep an eye on the cases in real time.
• Elaborate: Investigations correspond to cases. The details of each case can be broken down into associated tasks, which can be created from scratch or through a template engine. Additionally, analysts can record their progress, attach artifacts of evidence and assign tasks effortlessly.
• Act: A quick triaging process can be supported by allowing analysts to add observables to their cases, leveraging tags, flagging IOCs and identifying previously seen observables to feed their threat intelligence.

Answer the questions below

Cool stuff! How does it work?

Task 3 TheHive Features & Integrations

TheHive allows analysts from one organisation to work together on the same case simultaneously. This is due to the platform’s rich feature set and integrations that support analyst workflows. The features include:

• Case/Task Management: Every investigation is meant to correspond to a case that has been created. Each case can be broken down into one or more tasks for added granularity and even be turned into templates for easier management. Additionally, analysts can record their progress, attach pieces of evidence or noteworthy files, add tags and other archives to cases.
• Alert Triage: Cases can be imported from SIEM alerts, email reports and other security event sources. This feature allows an analyst to go through the imported alerts and decide whether or not they are to be escalated into investigations or incident response.
• Observable Enrichment with Cortex: One of the main feature integrations TheHive supports is Cortex, an observable analysis and active response engine. Cortex allows analysts to collect more information from threat indicators by performing correlation analysis and developing patterns from the cases. More information on Cortex.
• Active Response: TheHive allows analysts to use Responders and run active actions to communicate, share information about incidents and prevent or contain a threat.
• Custom Dashboards: Statistics on cases, tasks, observables, metrics and more can be compiled and distributed on dashboards that can be used to generate useful KPIs within an organisation.
• Built-in MISP Integration: Another useful integration is with MISP, a threat intelligence platform for sharing, storing and correlating Indicators of Compromise of targeted attacks and other threats. This integration allows analysts to create cases from MISP events, import IOCs or export their own identified indicators to their MISP communities.

Other notable integrations that TheHive supports are DigitalShadows2TH & ZeroFox2TH, free and open-source extensions of alert feeders from DigitalShadows and ZeroFox respectively. These integrations ensure that alerts can be added into TheHive and transformed into new cases using pre-defined incident response templates or by adding to existing cases.

Answer the questions below

3.1 Which open-source platform supports the analysis of observables within TheHive?

The open-source platform that helps analyze “observables” (like IP addresses, files, domains, or threat indicators) within TheHive is called Cortex.

What does this mean?

1. TheHive is a system used to manage investigations of cybersecurity incidents. In this system, small pieces of data that might provide clues about an incident — like an IP address or a suspicious file — are called “observables.”
2. Cortex is another tool that works together with TheHive. Its job is to analyze these observables. For example:

• If there’s a suspicious IP address, Cortex can check if it’s linked to known threats or has been seen in other attacks.
• If there’s a suspicious file, Cortex can run tests to gather more information about it.

1. Cortex makes it easier for analysts to understand threats, find patterns, and make smarter decisions during an investigation.

Why is this useful?

With Cortex, security analysts can save time and work more efficiently because it provides more details about each observable, helping them solve cases faster.

Think of TheHive as a detective’s notebook and Cortex as a magnifying glass that helps the detective see details more clearly.

Answer: Cortex

Task 4 User Profiles & Permissions

TheHive offers an administrator the ability to create an organisation group to identify the analysts and assign different roles based on a list of pre-configured user profiles.

Admin Console — Create Organisation

The pre-configured user profiles are:

• admin: full administrative permissions on the platform; can’t manage any Cases or other data related to investigations;
• org-admin: manage users and all organisation-level configuration, can create and edit Cases, Tasks, Observables and run Analysers and Responders;
• analyst: can create and edit Cases, Tasks, Observables and run Analysers & Responders;
• read-only: Can only read, Cases, Tasks and Observables details;

Admin Console — Add User

Each user profile has a pre-defined list of permissions that would allow the user to perform different tasks based on their role. When a profile has been selected, its permissions will be listed.

The full list of permissions includes:

Note that (1) Organisations, configuration, profiles and tags are global objects. The related permissions are effective only on the “admin” organisation. (2) Actions, analysis and template are available only if the Cortex connector is enabled.

In addition to adding new user profiles, the admin can also perform other operations such as creating case custom fields, custom observable types, custom analyser templates and importing TTPs from the MITRE ATT&CK framework, as displayed in the image below.

Imported list of ATT&CK Patterns

Deploy the machine attached to follow along on the next task. Please give it a minimum of 5 minutes to boot up. It would be best if you connected to the portal via http://MACHINE_IP/index.html on the AttackBox or using your VPN connection.

Log on to the analyst profile using the credentials:

Username: analyst@tryhackme.me Password: analyst1234

Answer the questions below

4.1 Which pre-configured account cannot manage any cases? (Question Hint One of the four discussed profiles cannot manage cases).

The account that cannot manage cases is the admin account.

• This account has the highest level of control over the platform, like creating organizations, managing users, and changing configurations.
• However, it cannot handle investigations directly (like opening or editing cases).

Answer: admin

4.2 Which permission allows a user to create, update or delete observables?

The permission is called manageObservable.

• Observables are small pieces of data, like an IP address or a suspicious file, that are part of an investigation.
• This permission gives a user the ability to add, change, or delete these observables in the system.

Answer: manageObservable

4.3 Which permission allows a user to execute actions?

The permission is called manageAction.

• “Executing actions” means running tasks to stop or manage a cybersecurity threat.
• For example, sending an alert to a team or running a program to gather more information about a suspicious event.

Answer: manageAction

Task 5 Analyst Interface Navigation

SCENARIO

You have captured network traffic on your network after suspicion of data exfiltration being done on the network. This traffic corresponds to FTP connections that were established. Your task is to analyse the traffic and create a case on TheHive to facilitate the progress of an investigation. If you are unfamiliar with using Wireshark, please check out this room first and come back to complete this task.

Source of PCAP file: IntroSecCon CTF 2020

Once an analyst has logged in to the dashboard, they will be greeted with the screen below. At the top, various menu options are listed that allow the user to create new cases and see their tasks and alerts. A list of active cases will be populated on the centre console when analysts create them.

Image: TheHive Main Landing Page

On clicking the New Case tab, a pop-up window opens, providing the analyst with fields to input their case details and tasks. The following options must be indicated on the case to set different categories and filter options:

• Severity: This showcases the level of impact the incident being investigated has on the environment from low to critical levels.
• TLP: The Traffic Light Protocol is a set of designations to ensure that sensitive information is shared with the appropriate audience. The range of colours represents a scale between full disclosure of information (White) and No disclosure/ Restricted (Red). You can find more information about the definitions on the CISA website.
• PAP: The Permissible Actions Protocol is used to indicate what an analyst can do with the information, whether an attacker can detect the current analysis state or defensive actions in place. It uses a colour scheme similar to TLP and is part of the MISP taxonomies.

With this in mind, we open a new case and fill in the details of our investigation, as seen below. Additionally, we add a few tasks to the case that would guide the investigation of the event.

New Case Window

In the visual below, we add the corresponding tactic and technique associated with the case. The TTPs are imported from MITRE ATT&CK. This provides additional information that can be helpful to map out the threat. As this is an exfiltration investigation, that is the specific tactic chosen and followed by the specific T1048.003 technique for Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol.

TTPs Selection Window

Case observables will be added from the Observables tab and you would have to indicate the following details:FieldDescriptionExamplesType *:
The observable dataType
IP address, Hash, DomainValue *:
Your observable value
8.8.8.8, 127.0.0.1One observable per line:
Create one observable per line inserted in the value field.

One single multiline observable:
Create one observable, no matter the number of lines
Long URLsTLP *:
Define here the way the information should be shared.

Is IOC:
Check if this observable is considered an Indicator of Compromise
Emotet IPHas been sighted:
Has this observable been sighted on your information system?

Ignore for similarity:
Do not correlate this observable with other similar observables.

Tags **:
Insightful information Tags.
Malware IP; MITRE TacticsDescription **:
Description of the observable

In our scenario, we are adding the IP address 192… as our observable as this IP is the source of the FTP requests. Depending on the situation of your analysis, this observable can be marked as an IOC or if it has been sighted before in a different investigation.

New Observables Window

I created a case following the provided example. I largely adhered to the steps demonstrated in the example when setting up the new case.

Answer the questions below

5.1 Where are the TTPs imported from? (Question Hint This framework is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations)

First Understand TTPs (Tactics, Techniques, and Procedures):

TTPs describe the methods and strategies attackers use in their operations.

The MITRE ATT&CK Framework is a global database of these TTPs, based on real-world adversary observations.

The question directly mentions that TTPs are imported into TheHive.

TTPs in TheHive are sourced from the MITRE ATT&CK Framework, a globally accessible knowledge base of adversary tactics and techniques.

Answer: MITRE ATT&CK

5.2 According to the Framework, what type of Detection “Data source” would our investigation be classified under? (Question Hint Research on the TTP assigned).

The investigation revolves around analyzing network traffic using the PCAP file.

Research the TTP: Visit the MITRE ATT&CK page, on the main page, you see the ATT&CK Matrix for Enterprise, which categorizes different adversarial tactics and techniques.

At the top menu, under Defenses, you selected Data Sources.

Data Sources represent the types of information collected (logs, network traffic) to detect adversarial activity.

The Data Sources page lists various categories, such as:

• Network Traffic
• File
• Command
• Application Log, and more.

Since the investigation revolves around FTP data exfiltration, which is captured in a PCAP file.

Use the search function (Ctrl+F) and type PCAP to narrow down the relevant data source.CTRL+F and searche for “PCAP.”

We located DS0029 — Network Traffic in the Data Sources list.

Data transmitted across a network (FTP, HTTP, DNS) that can be summarized (Netflow) or captured as raw data (PCAP format).

This directly applies to the investigation, as FTP traffic was captured in a PCAP file for analysis.

Based on the description, Network Traffic is the most appropriate classification for the investigation, as the detection is based on analyzing raw packet data from the PCAP file.

Answer: Network Traffic

5.3 Upload the pcap file as an observable. What is the flag obtained from https://MACHINE_IP//files/flag.html

Uploaded the PCAP file as an observable in TheHive with appropriate tags (ftp, exfiltration, PCAP) and a description.

Ensure all observables (IPs, filenames, PCAP) and related tasks are added to complete your investigation.

Documenting it in TheHive ensures a clear and auditable trail for the incident.

Once added, the flag will be recorded as part of the evidence for this case.

Accesse the URL (change https to http).

http://MACHINE_IP//files/flag.html

Answer: THM{FILES_ARE_OBSERVABLERS}

Task 6 Room Conclusion

We have now reached the end of TheHive Project room.

This room has hopefully given you a good grasp of how incident response and management is performed using TheHive and give you a working knowledge of the tool.

You are advised to experiment with these foundations until you are completely comfortable with them and to open up to more experiments with the mentioned integrations and others.

Answer the questions below

Check out the documentation and keep experimenting!

Summary of TheHive Project Room and Key Insights

TheHive Project room on TryHackMe introduces users to the fundamentals of using TheHive, an open-source Security Incident Response Platform (SIRP). This room helps both cybersecurity professionals and beginners understand how to track, investigate, and manage security incidents efficiently.

What is TheHive?

TheHive is a platform designed to help cybersecurity analysts:

1. Manage Investigations: Organize and track incidents by creating cases and adding evidence.

2. Collaborate in Teams: Multiple team members can work on the same case in real time, ensuring efficient response.

3. Respond to Threats: Analysts can analyze suspicious data, categorize incidents, and respond to threats quickly.

Why Is This Important?

1. Efficient Incident Management: TheHive offers a structured and organized way to handle incidents, ensuring all steps are accounted for.

2. Collaboration: Teams can work together in real time, reducing delays in responding to threats.

3. Powerful Integrations: Tools like Cortex and MISP enhance investigations by providing detailed analysis and actionable intelligence.

4. Standardized Processes: Using frameworks like MITRE ATT&CK ensures investigations align with global best practices.

Key Insights and Takeaways

1. TheHive Simplifies Investigations: It organizes cases, tasks, and observables, making it easier for analysts to manage complex incidents.
2. Observables Are Critical: Small details like IP addresses, suspicious files, and network traffic are crucial for identifying and stopping threats.
3. Integrations Save Time: Cortex and MISP enhance investigations by providing detailed analysis and sharing threat intelligence.
4. Practice Is Essential: Hands-on experience with tools like TheHive helps analysts become more confident and efficient.

Getting Started with TheHive

1. Experiment: Practice creating cases, adding observables, and analyzing data in TheHive.

2. Learn About Integrations: Explore how Cortex and MISP work to enrich investigations.

3. Study Frameworks: Understand the MITRE ATT&CK Framework to classify and understand threats better.

TheHive is an essential tool for anyone looking to improve their cybersecurity skills, especially in incident response. By mastering its features, you can enhance your ability to detect, investigate, and respond to cyber threats effectively.