topic Re: [HOWTO] MineMeld: Threat Intelligence Automation - architecture and hardening in General Topics

TI automation - architecture and hardening [part 1]

soc_enav — Thu, 31 Aug 2017 12:56:29 GMT

Hi everyone,

I'm Giovanni Mellini and I work in ENAV (Italian Air Traffic Control provider) Security dept.

One of the topics I've been working on over the last few months is threat intelligence‍ automation, or how to automatically integrate threat intelligence feeds into our near-real-time Information Security Operation Center SOC‍ Splunk‍ engine to reduce the time spent by SOC‍ security analysts on IOC‍ analysis.

I found in MineMeld the solution; MineMeld helped me to solve the challenges I had in the past while playing with IOC‍ coming from various threat intelligence‍ sources: collection automation, unduplication, aging and SOC‍ integration.

I wrote a blog post - the first of a series I want to write- about the architecture design and hardening of MineMeld to:

collect feeds from external sources
make available the feeds to trusted sources (internal and external)
put data collected into our SOC‍ near-real-time engine built on top of Splunk‍

Hope this can be an useful resource for anyone like me is trying to be effective on TI automation.

Many tks again to Luigi Mori for its continued support.

Ciao

Giovanni

Re: [HOWTO] Threat Intelligence Automation - MineMeld architecture and hardening

lmori — Fri, 04 Aug 2017 10:31:42 GMT

Awesome !

Re: [HOWTO] Threat Intelligence Automation - MineMeld architecture and hardening

Flo — Tue, 08 Aug 2017 05:35:20 GMT

Thank you, I am looking forward to reading your next posts.

<<In the next posts I will cover:

setup of the miners: STIX/TAXXI, MISP, csv etc;
feeds export in csv format and SPLUNK integration;
feeds export in TAXII format.>>

Re: [HOWTO] Threat Intelligence Automation - MineMeld architecture and hardening

iThreatHunt — Thu, 10 Aug 2017 09:53:10 GMT

Cool!!!

Re: [HOWTO] Threat Intelligence Automation - MineMeld architecture and hardening

soc_enav — Fri, 11 Aug 2017 15:13:31 GMT

New post here

Topic covered: how I built the foundation of near-real-time integration of MineMeld with our Information Security Operation Center (i-SOC) custom SPLUNK application

Re: [HOWTO] MineMeld: Threat Intelligence Automation - architecture and hardening

iThreatHunt — Tue, 15 Aug 2017 05:01:10 GMT

HTTPS Configurations

Configure the server to disable support for 3DES suite & Disable insecure TLS/SSL protocol support (TLSv1)

$sudo vi /etc/nginx/sites-enabled/minemeld-web

ssl_protocols TLSv1.1 TLSv1.2;

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';

$sudo sudo -u minemeld mm-supervisorctl restart minemeld-web

Re: [HOWTO] MineMeld: Threat Intelligence Automation - architecture and hardening

soc_enav — Tue, 15 Aug 2017 05:46:51 GMT

Tks for the config, I will test and update the post

Re: [HOWTO] MineMeld: Threat Intelligence Automation - architecture and hardening

soc_enav — Tue, 15 Aug 2017 06:06:10 GMT

@iThreatHunt wrote:

HTTPS Configurations

Configure the server to disable support for 3DES suite & Disable insecure TLS/SSL protocol support (TLSv1)

$sudo vi /etc/nginx/sites-enabled/minemeld-web

ssl_protocols TLSv1.1 TLSv1.2;

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';

$sudo sudo -u minemeld mm-supervisorctl restart minemeld-web

After applying your config I can get a little better rate on https://www.ssllabs.com test for "Protocol Support" because TLS 1.0 is disabled (note that the test don't say that TLS 1.0 is insecure).

Disabling 3DES disable the only one cipher suite considered WEAK, TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa). Great catch, to be honest I tried without success to find the right config. SO tks

Last note.

To apply the new config on nginx the following command don't works

$sudo sudo -u minemeld mm-supervisorctl restart minemeld-web

You need to restart the service nginx

# service nginx restart

Tks, I update my blog post

Giovanni

Re: [HOWTO] MineMeld: Threat Intelligence Automation - architecture and hardening

iThreatHunt — Tue, 15 Aug 2017 06:33:09 GMT

Oh, I am sorry. I think mimemeld-web services.

Thanks for correct command.

@soc_enav wrote:

@iThreatHunt wrote:

HTTPS Configurations

Configure the server to disable support for 3DES suite & Disable insecure TLS/SSL protocol support (TLSv1)

$sudo vi /etc/nginx/sites-enabled/minemeld-web

ssl_protocols TLSv1.1 TLSv1.2;

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';

$sudo sudo -u minemeld mm-supervisorctl restart minemeld-web

After applying your config I can get a little better rate on https://www.ssllabs.com test for "Protocol Support" because TLS 1.0 is disabled (note that the test don't say that TLS 1.0 is insecure).

Disabling 3DES disable the only one cipher suite considered WEAK, TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa). Great catch, to be honest I tried without success to find the right config. SO tks

Last note.

To apply the new config on nginx the following command don't works

$sudo sudo -u minemeld mm-supervisorctl restart minemeld-web

You need to restart the service nginx

# service nginx restart

Tks, I update my blog post

Giovanni