Security Vision
With the rapid evolution of information systems and increasing cybersecurity threats, finding reliable solutions to minimise the damage caused by information security (IS) breaches is becoming an important challenge for various organisations.
When an organisation's infrastructure becomes so complex that it becomes impossible to keep an eye on the big picture, a SOC (Security Operations Center) comes to the rescue - a highly specialised information security monitoring situation centre, a collection of hardware, software, people and processes. This type of system is designed to centrally collect and analyse information about IS events and incidents from various IT infrastructure sources.
There are many specific solutions, but it is difficult to imagine even an internal SOC in a medium-sized company, let alone a commercial centre, without a number of basic information monitoring and protection tools. These tools are usually systems of different classes, where each element fulfils its functional role, and one of the central and most effective are IRP platforms - separate systems for building incident management processes, which are designed to automate the processes of monitoring, accounting and response to incidents, as well as to solve typical problems of IS management.
The use of IRPs helps ensure timely responses from the information security incident response team while providing analytical information and context of the event being monitored. In this article, we will look at one such platform, The Hive, which provides a comprehensive solution for effective security incident management and response.
The Hive is a scalable, modern open source platform designed specifically for collaborative IS incident response. Tightly integrated with MISP (Malware Information Sharing Platform) and CORTEX, it is designed to make life easier for SOCs, CSIRTs, CERTs working with these tools, and all information security professionals dealing with incidents that require rapid investigation and action. The system combines a variety of features and capabilities to help monitor and remediate threats. SecOps professionals can collaboratively conduct investigations on the platform thanks to a built-in stream that provides real-time information on new or existing alerts, tasks, artefacts and IOCs.
One of the key features of The Hive is its intuitive user interface, which provides a convenient and centralised workspace for managing security incidents. But you also have to realise that the product has a number of downsides. Still, if you are not satisfied with the interface, let's say, there will be a lack of some elements or, on the contrary, there will be a large excess of them, there is nothing you can do about it, because the project is an open-source project, and changes are made to it very rarely.
Figure 1: Graphical interface with widgets for criticality and alert statuses
Figure 2: Privatisation of alerts of the same type
On the special page created for working with alerts, there is a function of visual switching, which is present in almost all similar solutions. Here you can leave comments, define similar alerts, set statuses and customise fields as you like. You can decide whether to refer alerts for investigation or escalate - respond to incidents.
The Tamline tab shows the privatisation and case management of alerts, it is possible to create different relationships, see similar attribution tasks (techniques, indicators of compromise, logs, etc.). This allows identifying similar cases and alerts, defining and assigning them a PAP (Permissible Actions Protocol), TLP (Traffic Light Protocol), Severity level for each monitored object or improving the incident response process using a simple template mechanism.
Figure 3: Tamline Investigations with additional attribution by cases
The attribution of all MITRE ATT&CK Framework TTPs is imported directly into The Hive management system and is available after installation (though in a very reduced form: there is no complete entity database such as, for example, the VPO). Therefore, MITRE techniques, tactics can be added to a specific case or alert (or simply exported to a MISP event), but in a reduced data model.
Figure 4: Adding MITRE ATT&CK to an alert
With integration with MISP (but not with other TIP platforms), you can import and use common indicators of compromise or easily share your own with communities.
Figure 5: Integration with MISP
A mechanism to work with other departments is also present, where through a menu you can define different organisations, team bindings or departments that will constantly interact with each other, to speed up the processing of alerts and alerts related artefacts. When configuring, it is possible to specify role types and permissions, where only certain roles will be shown only certain items in the menu.
Figure 6: Mechanism of interaction with organisations
During further configuration, advanced user management is performed where detailed configuration of user profiles, assigning them to organisations and LDAP or AD synchronisation is performed.
Figure 7: User configuration
Metrics and dashboards
The finalisation of the collected data and its collation is done through a dynamic widget configuration dashboard where you can get statistics on different areas, tasks, monitored fields, metrics, etc. to create useful KPIs and MBOs. Widgets are usually already ‘sliced’ and customisation is limited.
Figure 8. Widgets by metrics
There is a minimalistic ability to create investigation reports and use them to automatically generate in Markdown format for various stories related to knowledge base maintenance and standard HTML/PDF incident reports (Doc format is missing as it is difficult to normalise).
Figure 9. Report creation
The Hive provides a minimally reduced but necessary ability to automate repetitive tasks. This allows analysts to focus on the more critical and strategic aspects of incident response. Automation speeds up incident response times, minimising the impact of incidents and preventing potential consequences. Through the use of machine learning algorithms embedded within the system, advanced analytical capabilities are involved in the automation engine. This allows large amounts of data to be analysed and correlated to improve threat detection and incident prioritisation. This functionality helps to efficiently allocate resources based on the severity and potential impact of security incidents.
To summarise - The Hive is an open source platform, with a number of defined shortcomings (customisation, limited support, rare release, few integrations), designed to manage security incident response. This platform allows security teams to manage, analyse and respond to security incidents, making it an interesting tool in modern cybersecurity.
One of the main features of The Hive is the ability to manage cases and tasks. This allows security teams to organise work and allocate tasks with the necessary efficiency. Moreover, the platform provides the ability to collaborate in real-time, allowing information to be shared and security incidents to be responded to.
The Hive also has limited integrations with third-party tools, allowing security teams to utilise existing tools and extend their capabilities, but not to leverage additional extensibility. This makes it easier to process and analyse data to help respond to IS incidents.
The open source nature of the platform and the active support of the community has both a number of advantages (ensuring development and adaptation to the ever-changing threat environment, but also a number of disadvantages in the form of being too fully open to vulnerabilities, which also gives a big head start to attackers. This means that the platform will keep up with the latest cybersecurity requirements and trends as long as the community supports it.
Last but not least, implementing The Hive allows small organisations to improve their security operations, certainly if you haven't had a similar solution before now. The platform simplifies incident response processes, automates some tasks and improves the efficiency of the security team. As a result, small organisations will be able to protect their resources and data from cyber threats.
