TheHive, Cortex and MISP: enhanced interoperability at the service of resilience


Among the projects on the menu for the Hackathon Open Source Security Tools conference held on March 26th was the  MISP platform which, once again, mobilized its community to enhance its effectiveness.  As a major update of TheHive was done, it was time to check its interoperability with MISP. For those of you not familiar with previous Hackathon initiatives, TheHive and Cortex incident response projects allow users to incorporate MISP data as well as data from other sources.

Saad Kadhi is the “founding father” of TheHive and participated in the Hackathon with great enthusiasm.

“It’s really interesting to meet other developers and especially the users who give us ideas to continue to develop our tools.”

TheHive is able to receive and process information from multiple departments. It relies on another software: CORTEX, which analyses a wide range of elements and technical indices (like IP or mail addresses, domain names, files, or “hash” values). It is the perfect companion for TheHive and multiple CORTEX instances can be utilized at the same time. CORTEX can also automate and accelerate the implementation of countermeasures to protect infrastructure and data.

As the CORTEX analysis engine has also just completed a major update, it was important to check that the interface between TheHive and MISP was still working properly, explains Saad Kadhi.

“Additionally, we want to develop standards which will facilitate communication between all threat analysis services. A European initiative has been launched to create a taxonomy of incidents. We are currently writing a draft version of this taxonomy.” … In short, the Hackathon has focused the efforts of many actors in order to improve the resilience of everyone against attacks which are becoming increasingly more difficult to detect and fight.

The topic of data sharing during an incident response also raises the question of how to then protect personal data. This question will be studied during a specific workshop on May 7, 2018 : “Organizer of Incident Response, Information Sharing and GDPR: a practical perspective for CSIRTs”.