This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

TI automation - architecture and hardening [part 1]

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

TI automation - architecture and hardening [part 1]

soc_enav
L1 Bithead

‎08-03-2017 04:25 AM - edited ‎08-31-2017 05:56 AM

Hi everyone,

I'm Giovanni Mellini and I work in ENAV (Italian Air Traffic Control provider) Security dept.

 

One of the topics I've been working on over the last few months is threat intelligence‍ automation, or how to automatically integrate threat intelligence feeds into our near-real-time Information Security Operation Center SOC‍ Splunk‍ engine to reduce the time spent by SOC‍ security analysts on IOC‍ analysis.

 

I found in MineMeld the solution; MineMeld helped me to solve the challenges I had in the past while playing with IOC‍ coming from various threat intelligence‍ sources: collection automation, unduplication, aging and SOC‍ integration.

 

I wrote a blog post - the first of a series I want to write- about the architecture design and hardening of MineMeld to:

  • collect feeds from external sources
  • make available the feeds to trusted sources (internal and external)
  • put data collected into our SOC‍ near-real-time engine built on top of Splunk‍

Hope this can be an useful resource for anyone like me is trying to be effective on TI automation.

 

Many tks again to Luigi Mori for its continued support.

 

Ciao

Giovanni

8 REPLIES 8

lmori
L7 Applicator

‎08-04-2017 03:31 AM

Awesome !

Flo
L1 Bithead

‎08-07-2017 10:35 PM

Thank you, I am looking forward to reading your next posts.

<<In the next posts I will cover:

  • setup of the miners: STIX/TAXXI, MISP, csv etc;
  • feeds export in csv format and SPLUNK integration;
  • feeds export in TAXII format.>>
Security at the expense of usability comes at the expense of security.

iThreatHunt
L3 Networker

‎08-10-2017 02:53 AM

Cool!!!

0 Likes Likes

soc_enav
L1 Bithead

‎08-11-2017 08:13 AM

New post here

Topic covered: how I built the foundation of near-real-time integration of MineMeld with our Information Security Operation Center (i-SOC) custom SPLUNK application

0 Likes Likes

iThreatHunt
L3 Networker

‎08-14-2017 10:01 PM

HTTPS Configurations 

 

Configure the server to disable support for 3DES suite & Disable insecure TLS/SSL protocol support (TLSv1)

 

$sudo vi /etc/nginx/sites-enabled/minemeld-web

 

ssl_protocols TLSv1.1 TLSv1.2;

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';

 

$sudo sudo -u minemeld mm-supervisorctl restart minemeld-web

soc_enav
L1 Bithead
In response to iThreatHunt

‎08-14-2017 10:46 PM

Tks for the config, I will test and update the post

0 Likes Likes

soc_enav
L1 Bithead
In response to iThreatHunt

‎08-14-2017 11:06 PM

@iThreatHunt wrote:

HTTPS Configurations 

 

Configure the server to disable support for 3DES suite & Disable insecure TLS/SSL protocol support (TLSv1)

 

$sudo vi /etc/nginx/sites-enabled/minemeld-web

 

ssl_protocols TLSv1.1 TLSv1.2;

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';

 

$sudo sudo -u minemeld mm-supervisorctl restart minemeld-web

After applying your config I can get a little better rate on https://www.ssllabs.com test for "Protocol Support" because TLS 1.0 is disabled (note that the test don't say that TLS 1.0 is insecure).

 

Selezione_284.png

 

Disabling 3DES disable the only one cipher suite considered WEAK, TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa). Great catch, to be honest I tried without success to find the right config. SO tks

 

Selezione_283.png

 

Last note.

To apply the new config on nginx the following command don't works

 

$sudo sudo -u minemeld mm-supervisorctl restart minemeld-web

 

You need to restart the service nginx

 

# service nginx restart

 

Tks, I update my blog post

Giovanni

0 Likes Likes

iThreatHunt
L3 Networker
In response to soc_enav

‎08-14-2017 11:33 PM

Oh, I am sorry. I think mimemeld-web services.

 

Thanks for correct command.

@soc_enav wrote:
@iThreatHunt wrote:

HTTPS Configurations 

 

Configure the server to disable support for 3DES suite & Disable insecure TLS/SSL protocol support (TLSv1)

 

$sudo vi /etc/nginx/sites-enabled/minemeld-web

 

ssl_protocols TLSv1.1 TLSv1.2;

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';

 

$sudo sudo -u minemeld mm-supervisorctl restart minemeld-web

After applying your config I can get a little better rate on https://www.ssllabs.com test for "Protocol Support" because TLS 1.0 is disabled (note that the test don't say that TLS 1.0 is insecure).

 

Selezione_284.png

 

Disabling 3DES disable the only one cipher suite considered WEAK, TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa). Great catch, to be honest I tried without success to find the right config. SO tks

 

Selezione_283.png

 

Last note.

To apply the new config on nginx the following command don't works

 

$sudo sudo -u minemeld mm-supervisorctl restart minemeld-web

 

You need to restart the service nginx

 

# service nginx restart

 

Tks, I update my blog post

Giovanni

 

0 Likes Likes
  • 16770 Views
  • 8 replies
  • 3 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks