TI automation - architecture and hardening [part 1]

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

TI automation - architecture and hardening [part 1]

L1 Bithead

Hi everyone,

I'm Giovanni Mellini and I work in ENAV (Italian Air Traffic Control provider) Security dept.

 

One of the topics I've been working on over the last few months is threat intelligence‍ automation, or how to automatically integrate threat intelligence feeds into our near-real-time Information Security Operation Center SOC‍ Splunk‍ engine to reduce the time spent by SOC‍ security analysts on IOC‍ analysis.

 

I found in MineMeld the solution; MineMeld helped me to solve the challenges I had in the past while playing with IOC‍ coming from various threat intelligence‍ sources: collection automation, unduplication, aging and SOC‍ integration.

 

I wrote a blog post - the first of a series I want to write- about the architecture design and hardening of MineMeld to:

  • collect feeds from external sources
  • make available the feeds to trusted sources (internal and external)
  • put data collected into our SOC‍ near-real-time engine built on top of Splunk‍

Hope this can be an useful resource for anyone like me is trying to be effective on TI automation.

 

Many tks again to Luigi Mori for its continued support.

 

Ciao

Giovanni

8 REPLIES 8

L7 Applicator

Awesome !

L1 Bithead

Thank you, I am looking forward to reading your next posts.

<<In the next posts I will cover:

  • setup of the miners: STIX/TAXXI, MISP, csv etc;
  • feeds export in csv format and SPLUNK integration;
  • feeds export in TAXII format.>>
Security at the expense of usability comes at the expense of security.

L3 Networker

Cool!!!

L1 Bithead

New post here

Topic covered: how I built the foundation of near-real-time integration of MineMeld with our Information Security Operation Center (i-SOC) custom SPLUNK application

L3 Networker

HTTPS Configurations 

 

Configure the server to disable support for 3DES suite & Disable insecure TLS/SSL protocol support (TLSv1)

 

$sudo vi /etc/nginx/sites-enabled/minemeld-web

 

ssl_protocols TLSv1.1 TLSv1.2;

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';

 

$sudo sudo -u minemeld mm-supervisorctl restart minemeld-web

Tks for the config, I will test and update the post


@iThreatHunt wrote:

HTTPS Configurations 

 

Configure the server to disable support for 3DES suite & Disable insecure TLS/SSL protocol support (TLSv1)

 

$sudo vi /etc/nginx/sites-enabled/minemeld-web

 

ssl_protocols TLSv1.1 TLSv1.2;

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';

 

$sudo sudo -u minemeld mm-supervisorctl restart minemeld-web


After applying your config I can get a little better rate on https://www.ssllabs.com test for "Protocol Support" because TLS 1.0 is disabled (note that the test don't say that TLS 1.0 is insecure).

 

Selezione_284.png

 

Disabling 3DES disable the only one cipher suite considered WEAK, TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa). Great catch, to be honest I tried without success to find the right config. SO tks

 

Selezione_283.png

 

Last note.

To apply the new config on nginx the following command don't works

 

$sudo sudo -u minemeld mm-supervisorctl restart minemeld-web

 

You need to restart the service nginx

 

# service nginx restart

 

Tks, I update my blog post

Giovanni

Oh, I am sorry. I think mimemeld-web services.

 

Thanks for correct command.


@soc_enav wrote:

@iThreatHunt wrote:

HTTPS Configurations 

 

Configure the server to disable support for 3DES suite & Disable insecure TLS/SSL protocol support (TLSv1)

 

$sudo vi /etc/nginx/sites-enabled/minemeld-web

 

ssl_protocols TLSv1.1 TLSv1.2;

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';

 

$sudo sudo -u minemeld mm-supervisorctl restart minemeld-web


After applying your config I can get a little better rate on https://www.ssllabs.com test for "Protocol Support" because TLS 1.0 is disabled (note that the test don't say that TLS 1.0 is insecure).

 

Selezione_284.png

 

Disabling 3DES disable the only one cipher suite considered WEAK, TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa). Great catch, to be honest I tried without success to find the right config. SO tks

 

Selezione_283.png

 

Last note.

To apply the new config on nginx the following command don't works

 

$sudo sudo -u minemeld mm-supervisorctl restart minemeld-web

 

You need to restart the service nginx

 

# service nginx restart

 

Tks, I update my blog post

Giovanni


 

  • 16898 Views
  • 8 replies
  • 3 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!