The success of open source and collaborative projects depends on the community that supports them. The development model is driven solely by a common goal, and has consistently been an invaluable resource for the IT and IT security industries.
Guided by the common goal of making the internet a little more secure and to help users hunt unknown malicious infrastructure, DomainTools has announced that it will integrate its Iris tool with TheHive and Cortex platform. The open-source community will have access to DNS threat investigation and intelligence, rich datasets and contextual enrichment for Indicators of Compromise (IOC).
What is TheHive and Cortex?
TheHive is a scalable open-source solution built for SOCs, Cyber Security Incident Response Teams (CSIRTs), Computer Emergency Response Teams (CERTs) and any information security practitioner and allows them to investigate security incidents efficiently. Collaboration across the incident management phases and functions is at the heart of the platform. Cases can be created for every investigation either manually or automatically using templates which can vary based on the type of investigations.
Cortex is our standalone analysis engine and a perfect companion for TheHive. TheHive speaks natively to Cortex via REST API to perform quick assessments of observables.
Together, the two platforms can be a significant time-saver and take away some of the tedious tasks associated. Analysts can then use the Analyze functionality you can add and investigate a single or thousands of observables associated with the case. Finally, good old practices of associating TLP and source tags are also baked in the platform.
Over the past three years, TheHive project matured, and more and more enterprises adopted it as part of their enterprise SOC/CSIRT/CERT. TheHive and Cortex enables users to optimize security incident management, automate threat intelligence analysis, and perform digital forensics.
By enriching observables within TheHive and Cortex, users can now utilise DomainTools Iris intelligence to add value to their incident management workflow. In this way, DNS threat context will be available in a single toolset, without the need to access it via upstream systems. Through the point-and-click TheHive interface, users will now be able to access the rich DomainTools domain and DNS intelligence, Domain Risk Score, and supporting evidence.
TheHive and Cortex users will benefit from this integration in a number of ways but the key element is improved context for investigations. They will now have access to additional insights, including Whois data which can provide key information about domain ownership, as well as the DomainTools’ Risk Score, which enables faster triaging based on the type of risk the domain represents.
While enriching the observables, DomainTools persists the enrichment data in observable reports within an incident. This enables users to review the enriched dataset conveniently including DomainTools Guided Pivots, to help further their investigations.
Artifacts with Guided Pivots below a threshold limit, configured by the organization, are visually highlighted for convenience. Users can add these artifacts as potential points of pivot/reversing.
This enables an analyst to investigate the incident without context switching across multiple tools. Further, the enrichment data inside of an incident forms a qualified tool for convenient reporting and reconciliation. And whenever an analyst feels the need to dive into DomainTools investigation platform, they can conveniently launch it from within the observable report, all without losing their context in the investigation.
What about the connected infrastructure?
When profiling a DNS artifact isn’t sufficient, the integration with DomainTools’ Iris pivot analyser will allow TheHive and Cortex users to see what is connected to the domain observable, gaining insight into more detailed associations in order to build a more accurate picture of the infrastructure surrounding a domain: Associated IPs, SSL hashes and registrant email addresses can now be pivoted on to retrieve associated IOCs. Moreover, the Guided Pivot analytics will assist IT security practitioners in choosing which attributes to pivot on, and with Guided Pivot counts will even create an investigation path on their own.
Viable Guided Pivots will be flagged during observable enrichment, effectively allowing users to discover IOCs that would have otherwise gone undetected. To further consolidate intelligence and map forensics, users will have access to DomainTools analytics like Age and Domain Risk Score, which will narrow down the list of target IOCs to be imported into the platform. MISP users will also be able to link two instances and create an auto-case out of a MISP event.
Overall, the automation of incident handling procedures through pivots on key domain attributes, as allowed by this integration of DomainTools Iris with TheHive and Cortex, will reduce the time IT security teams will have to spend on investigating and triaging on multiple tools.
When working in today’s ever-growing and complicating threat landscape, it is increasingly important that organisations manage to effectively collaborate in ways such as this: Increasing visibility, and providing security teams and researchers with enriched data is one of the key things that will help us to take the fight to cybercriminals.