Maximizing Threat Detection and Response with Cortex

SOCFortress
7 min readFeb 20, 2023

Cortex Analyzer and Responder: The Game-Changing Duo for Cyber Threat Detection and Response

Github Project: https://github.com/TheHive-Project/Cortex

Intro

With the rising sophistication and volume of cyber attacks, security teams need more than just basic detection tools. Threat intelligence and response solutions have become essential in today’s cyber defense strategies. TheHive Project’s Cortex offers a powerful and flexible platform for automating threat intelligence and response, giving security teams the ability to detect and respond to threats quickly and efficiently.

What is Cortex?

Cortex is an open-source, highly extensible, and user-friendly platform that allows security teams to automate their threat intelligence and response workflows. The platform allows users to analyze and respond to alerts from a variety of sources, including SIEMs, IDS, and other security tools.

One of the core features of Cortex is its ability to integrate with a wide range of security tools and services. This integration enables security teams to automate many aspects of their security operations, including enrichment, analysis, and response. Cortex provides a central repository for this intelligence, allowing users to easily manage and access the information they need.

Understanding Analyzers and Responders

Analyzers and responders are the building blocks of Cortex, enabling the platform to connect to various security tools and services and automate different aspects of the threat intelligence and response process.

Analyzers

Analyzers are responsible for retrieving data from different sources and enriching that data to provide more context and useful information to security teams. There are many different types of analyzers, each designed to connect to different types of data sources, such as online services, threat feeds, and databases.

When an analyzer is invoked, it retrieves data from the specified source and transforms it into a standardized format, making it easier to analyze and compare with other data. This data can include information about IP addresses, domains, hashes, file names, and more.

Once the data has been transformed, the analyzer can perform additional enrichment processes, such as checking the data against a list of known malicious indicators, querying online services for more information, or running custom scripts to perform more advanced analysis. This enriched data is then returned to the Cortex platform for further analysis.

Responders

Responders are responsible for taking action based on the enriched data provided by the analyzers. There are many different types of responders, each designed to perform specific actions, such as blocking an IP address, isolating an infected device, or sending an alert to a security analyst.

When a responder is invoked, it uses the enriched data to perform a specific action. For example, a responder might be configured to automatically block an IP address associated with known malicious activity. The responder can also be configured to send an alert to a security analyst to take manual action or to log the event for future analysis.

Both analyzers and responders can be customized using Cortex’s powerful scripting engine, allowing users to tailor the platform to their specific needs. For example, a user might develop a custom analyzer to connect to an internal database or develop a custom responder to perform a specific action unique to their organization.

Overall, analyzers and responders enable Cortex to automate many aspects of the threat intelligence and response process, providing security teams with more context and actionable information to better protect their organization from cyber threats.

Installation

Cortex requires Elasticsearch as a critical component of its architecture to store and index the vast amount of data generated by the platform’s analyzers and responders. At the time of this writing, Cortex only supports Elasticsearch 7.x.

Since our deployed Wazuh-Indexer is a fork of Elasticsearch 7.10.2, it fits these requirements. I personally like to use the current SIEM stack’s Wazuh-Indexer cluster rather than dedicating a new Elasticsearch cluster just for Cortex.

However, if you would like to deploy a dedicated Elasticsearch node for your Cortex instance, I’d recommend docker.

Elasticsearch Via Docker

  1. Install Docker
  2. Create directory for volume
mkdir -p /opt/elasticsearch
chmod 777 -R /opt/elasticsearch/

3. Set virtual memory

sysctl -w vm.max_map_count=262144
nano /etc/sysctl.conf
vm.max_map_count=262144

4. Deploy Elasticsearch Container

docker run -d --name elasticsearch --hostname elasticsearch --rm --publish 127.0.0.1:9200:9200 --volume /opt/elasticsearch:/usr/share/elasticsearch/data -e "http.host=0.0.0.0" -e "xpack.security.enabled=false" -e "cluster.name=hive" -e "thread_pool.search.queue_size=100000" -e "discovery.type=single-node" docker.elastic.co/elasticsearch/elasticsearch:7.10.2

I recommend enabling HTTPS with Auth for a production environment

Install Cortex

  1. Install Java
apt install software-properties-common
add-apt-repository ppa:openjdk-r/ppa
apt-get update
apt-get install openjdk-11-jre-headless

2. Install Cortex

curl https://raw.githubusercontent.com/TheHive-Project/TheHive/master/PGP-PUBLIC-KEY | sudo apt-key add -
echo 'deb https://deb.thehive-project.org release main' | sudo tee -a /etc/apt/sources.list.d/thehive-project.list
apt-get update
apt install cortex

Configure Cortex

Deploy certificates for encryption and security.

  1. Import the root CA crt that Elasticsearch is currently using. This command will ask for a password to protect the keystore. Save this password since it’ll be required for the cfg file in Cortex (next).
keytool -import -file /path/to/rootca.crt -alias CA -keystore root_ca.jks

2. nano /etc/cortex/application.conf

MAKE SURE TO CHANGE username to user. This seems to be a bug

# Sample Cortex application.conf file

## SECRET KEY
#
# The secret key is used to secure cryptographic functions.
#
# IMPORTANT: If you deploy your application to several instances, make
# sure to use the same key.
#play.http.secret.key="***CHANGEME***"

## ElasticSearch
search {
# Name of the index
index = cortex
# ElasticSearch instance address.
# For cluster, join address:port with ',': "http://ip1:9200,ip2:9200,ip3:9200"
uri = "https://ELASTICSEARCH_HOST:9200"

## Advanced configuration
# Scroll keepalive.
#keepalive = 1m
# Scroll page size.
#pagesize = 50
# Number of shards
#nbshards = 5
# Number of replicas
#nbreplicas = 1
# Arbitrary settings
#settings {
# Maximum number of nested fields
# mapping.nested_fields.limit = 100
#}

## Authentication configuration For Elasticsearch
user = "admin"
password = "ELASTIC_PASS"

## SSL configuration
keyStore {
path = "/etc/cortex/root_ca.jks"
type = "JKS" # or PKCS12
password = "KEYSTORE_PASS"
}
trustStore {
path = "/etc/cortex/root_ca.jks"
type = "JKS" # or PKCS12
password = "KEYSTORE_PASS"
}
}

Install Analyzers and Responders

  • Python2
  • Python3
  1. Dependencies

apt-get install -y --no-install-recommends python2.7-dev python3-dev ssdeep libfuzzy-dev libfuzzy2 libimage-exiftool-perl libmagic1 build-essential git libssl-dev

cd /opt

wget https://bootstrap.pypa.io/get-pip.py

python2 get-pip.py

python3 get-pip.py

pip2 install -U pip setuptools && sudo pip3 install -U pip setuptools

git clone https://github.com/TheHive-Project/Cortex-Analyzers

2. Install

for I in $(find Cortex-Analyzers -name 'requirements.txt'); do sudo -H pip2 install -r $I; done && \
for I in $(find Cortex-Analyzers -name 'requirements.txt'); do sudo -H pip3 install -r $I || true; done

3. Configure

nano /etc/cortex/application.conf

## ANALYZERS
#
analyzer {
# analyzer location
# url can be point to:
# - directory where analyzers are installed
# - json file containing the list of analyzer descriptions
urls = [
#"https://download.thehive-project.org/analyzers.json"
"/opt/Cortex-Analyzers/analyzers"
]

# Sane defaults. Do not change unless you know what you are doing.
fork-join-executor {
# Min number of threads available for analysis.
parallelism-min = 2
# Parallelism (threads) ... ceil(available processors * factor).
parallelism-factor = 2.0
# Max number of threads available for analysis.
parallelism-max = 4
}
}

# RESPONDERS
#
responder {
# responder location (same format as analyzer.urls)
urls = [
#"https://download.thehive-project.org/responders.json"
"/opt/Cortex-Analyzers/responders"
]

# Sane defaults. Do not change unless you know what you are doing.
fork-join-executor {
# Min number of threads available for analysis.
parallelism-min = 2
# Parallelism (threads) ... ceil(available processors * factor).
parallelism-factor = 2.0
# Max number of threads available for analysis.
parallelism-max = 4
}
}

Start Cortex

sudo mkdir /etc/cortex
(cat << _EOF_
# Secret key
# ~~~~~
# The secret key is used to secure cryptographics functions.
# If you deploy your application to several instances be sure to use the same key!
play.http.secret.key="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1)"
_EOF_
) | sudo tee -a /etc/cortex/application.conf

systemctl start cortex

tail -f /var/log/cortex/application.log

If maintenance page does not load by default, enter http://IP:9001/index.html#!/maintenance

Watch the above video to learn how to create your first Organization and how to enable your Anaylzers and Responders.

Conclusion

Cortex offers a powerful and flexible platform for automating threat intelligence and response. With its ability to integrate with a wide range of security tools and services, users can automate many aspects of their security operations, reducing workload and increasing efficiency. The platform’s extensible design and powerful scripting engine also provide a high degree of flexibility, allowing security teams to customize Cortex to their specific needs. Cortex is a valuable tool for any organization looking to enhance its security posture and respond quickly and efficiently to threats.

Need Help?

The functionality discussed in this post, and so much more, are available via SOCFortress’s Professional Services. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Professional Services: https://www.socfortress.co/contact_form.html

--

--

SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).