WEBVTT 0:00:04.820000 --> 0:00:06.940000 Incident Management with the Hive. 0:00:06.940000 --> 0:00:10.980000 In this video, we're going to be taking a look at incident management, 0:00:10.980000 --> 0:00:14.600000 you know, in terms of what it means and what it entails. 0:00:14.600000 --> 0:00:19.800000 And then we'll be getting an introduction to the Hive, which is a quite 0:00:19.800000 --> 0:00:24.640000 comprehensive incident management platform, you know, at least in this 0:00:24.640000 --> 0:00:27.620000 context it is. It can be used for a lot more than that. 0:00:27.620000 --> 0:00:33.000000 But generally speaking, if you again work in a C-set or within a SOC, 0:00:33.000000 --> 0:00:38.840000 you'll typically come across one or two other incident management platforms. 0:00:38.840000 --> 0:00:43.580000 But at the moment, at least in so far, my experience is concerned, the 0:00:43.580000 --> 0:00:49.920000 Hive, you know, ranks quite high up the list in terms of, you know, the 0:00:49.920000 --> 0:00:53.200000 incident management platforms that you'll typically see deployed. 0:00:53.200000 --> 0:00:57.600000 So I thought it would be a very, very good idea to introduce you to it 0:00:57.600000 --> 0:01:00.700000 so that, you know, when you do, if you are looking to become an incident 0:01:00.700000 --> 0:01:05.460000 responder, when you do start, you know, working as one, you're not going 0:01:05.460000 --> 0:01:09.580000 to be, you know, you're going to have an understanding of these tools 0:01:09.580000 --> 0:01:11.000000 and how to use them. 0:01:11.000000 --> 0:01:15.640000 So before we even get into the Hive, we need to understand what incident 0:01:15.640000 --> 0:01:19.340000 management is. So what is incident management? 0:01:19.340000 --> 0:01:23.240000 Incident management is the structured process of identifying, managing 0:01:23.240000 --> 0:01:28.680000 and resolving security incidents in a way that minimizes impact, restores 0:01:28.680000 --> 0:01:32.600000 normal operations, and preserves evidence. 0:01:32.600000 --> 0:01:36.720000 It is a call function within the broader discipline of incident response. 0:01:36.720000 --> 0:01:43.080000 So it's more so as the name suggests management of the process of incident 0:01:43.080000 --> 0:01:52.040000 response and it sort of entails or encompasses, you know, the broader, 0:01:52.040000 --> 0:01:56.860000 or I should say, the management aspect of the entire incident response 0:01:56.860000 --> 0:02:02.620000 process. So transitions from one phase to the other, communication, collaboration, 0:02:02.620000 --> 0:02:07.340000 the transfer of data in a structured way, so on and so forth. 0:02:07.340000 --> 0:02:18.040000 So just think of it as that allows for the management of the incident 0:02:18.040000 --> 0:02:19.500000 response process. 0:02:19.500000 --> 0:02:23.520000 So what is the primary goal of incident management? 0:02:23.520000 --> 0:02:28.540000 Well, it obviously ties back into the incident response process. 0:02:28.540000 --> 0:02:30.500000 So, you know, detect and respond. 0:02:30.500000 --> 0:02:35.580000 So it in terms of the key objectives, detect and respond to incidents 0:02:35.580000 --> 0:02:37.080000 quickly and efficiently. 0:02:37.080000 --> 0:02:39.300000 That's really the primary goal there. 0:02:39.300000 --> 0:02:40.820000 Contain the threat before it spreads. 0:02:40.820000 --> 0:02:45.500000 So it's essentially aiding the incident response process by, you know, 0:02:45.500000 --> 0:02:51.480000 addressing detection and response, containment, restoration, eradication, 0:02:51.480000 --> 0:02:56.720000 etc. But specifically now, if we talk about some of the other aspects, 0:02:56.720000 --> 0:03:01.680000 you know, to do with management of any process, you can see that the other 0:03:01.680000 --> 0:03:06.040000 goal is to ensure all actions are documented and traceable. 0:03:06.040000 --> 0:03:12.480000 So think of it as having a system to log activity within each phase of 0:03:12.480000 --> 0:03:14.580000 the incident response process. 0:03:14.580000 --> 0:03:18.200000 And then of course, learn from incidents to improve defenses and response 0:03:18.200000 --> 0:03:23.480000 capabilities. So that begs the question, what is an incident management 0:03:23.480000 --> 0:03:28.460000 platform? Well, an incident management platform is a dedicated software 0:03:28.460000 --> 0:03:33.800000 solution that enables security teams or incident responders to centrally 0:03:33.800000 --> 0:03:39.620000 manage, track and coordinate their response to cybersecurity incidents 0:03:39.620000 --> 0:03:43.420000 in a structured and consistent manner. 0:03:43.420000 --> 0:03:48.580000 So it serves as the operational hub during a cybersecurity incident, that 0:03:48.580000 --> 0:03:54.580000 being where alerts are ingested, cases are created, tasks are assigned, 0:03:54.580000 --> 0:03:58.280000 progress is tracked and and collaboration occurs. 0:03:58.280000 --> 0:04:03.160000 So think of it as a hub where all incident responders meet, including 0:04:03.160000 --> 0:04:06.800000 SOC analysts and anyone else who's part of the incident response process 0:04:06.800000 --> 0:04:11.780000 or the, you know, CSERT, the incident response team or, you know, whatever 0:04:11.780000 --> 0:04:13.240000 variation of the team. 0:04:13.240000 --> 0:04:17.580000 So this is a central hub where, you know, you all sort of come together 0:04:17.580000 --> 0:04:25.520000 to, as the paragraph here sort of explains, to, you know, essentially 0:04:25.520000 --> 0:04:30.060000 view alerts. And then from those alerts, you create cases, you then perform 0:04:30.060000 --> 0:04:33.020000 the investigation and or response. 0:04:33.020000 --> 0:04:36.520000 And you can track progress of particular cases. 0:04:36.520000 --> 0:04:38.460000 And you can collaborate. 0:04:38.460000 --> 0:04:41.960000 So again, this may not make much sense right now until you actually see 0:04:41.960000 --> 0:04:45.420000 it in person. If you are familiar with this, then you know, the benefit 0:04:45.420000 --> 0:04:48.340000 of an instant management platform. 0:04:48.340000 --> 0:04:51.480000 So what are the core functions of an incident management platform? 0:04:51.480000 --> 0:04:57.420000 Or at least what should it be able to do or what should it offer, ideally? 0:04:57.420000 --> 0:05:00.300000 Well, you have obviously alert ingestion. 0:05:00.300000 --> 0:05:05.400000 So this is where, you know, this essentially involves collection of alerts 0:05:05.400000 --> 0:05:11.060000 from various sources like SEEMS, EDRs or email reports, and then case 0:05:11.060000 --> 0:05:14.620000 management. This is sort of the really cool aspect of an incident management 0:05:14.620000 --> 0:05:19.020000 platform. So this allows responders to convert alerts into structured 0:05:19.020000 --> 0:05:20.360000 investigation cases. 0:05:20.360000 --> 0:05:26.660000 You have built in investigation capabilities. 0:05:26.660000 --> 0:05:30.960000 And as a result, you have the ability to take a log or an alert and say, 0:05:30.960000 --> 0:05:35.000000 I want to create a case based on this to investigate it further. 0:05:35.000000 --> 0:05:40.720000 And it gives you sort of this isolated space to investigate just that 0:05:40.720000 --> 0:05:43.500000 alert. You then have task assignment and tracking. 0:05:43.500000 --> 0:05:47.860000 So this is where you break incidents into specific tasks and, you know, 0:05:47.860000 --> 0:05:49.260000 assign them to analysts. 0:05:49.260000 --> 0:05:53.020000 So, you know, if you have a alert, you create a case from the alert, you 0:05:53.020000 --> 0:05:56.820000 know, and there's all sorts of categorization that happens there in terms 0:05:56.820000 --> 0:05:59.980000 of severity, priority, etc. 0:05:59.980000 --> 0:06:04.960000 And you then say, for example, you know, you create a task that has to 0:06:04.960000 --> 0:06:09.560000 do with analysis and you assign it to a particular incident responder. 0:06:09.560000 --> 0:06:16.880000 And then you can assign, you know, eradication or containment, eradication, 0:06:16.880000 --> 0:06:18.560000 recovery, all of that good stuff. 0:06:18.560000 --> 0:06:23.260000 So essentially, as I said, when we talk about project management, for 0:06:23.260000 --> 0:06:29.060000 example, but in this case, tailored to the incident response process as 0:06:29.060000 --> 0:06:33.620000 a whole. So, you know, you break incidents into specific tasks and then, 0:06:33.620000 --> 0:06:37.740000 you know, with that functionality, you have the ability to assign specific 0:06:37.740000 --> 0:06:42.580000 tasks related to a specific case to a specific analyst. 0:06:42.580000 --> 0:06:44.320000 You then have evidence handling. 0:06:44.320000 --> 0:06:48.220000 This is also a very, very useful and powerful aspect of an instant management 0:06:48.220000 --> 0:06:52.840000 platform. And this is, you know, the ability to centralize observables. 0:06:52.840000 --> 0:06:59.300000 Observables for all intents and purposes are IOCs, so indicators of compromise. 0:06:59.300000 --> 0:07:03.780000 And in addition to that documentation for analysis, and some of these 0:07:03.780000 --> 0:07:07.660000 tools, just like the Hive, actually have automated analysis built into 0:07:07.660000 --> 0:07:13.180000 them. So you can actually perform quick analysis or initial analysis of 0:07:13.180000 --> 0:07:19.400000 IOCs like hashes, URLs, so on and so forth, and actually get to know what 0:07:19.400000 --> 0:07:21.820000 you're dealing with relatively quickly. 0:07:21.820000 --> 0:07:25.620000 You then have collaboration, which is again, very, very important. 0:07:25.620000 --> 0:07:29.380000 So, you know, an incident management platform should enable multiple team 0:07:29.380000 --> 0:07:34.020000 members to work on a case simultaneously with full visibility. 0:07:34.020000 --> 0:07:38.000000 And now you have a very important aspect here, which is audit logging. 0:07:38.000000 --> 0:07:41.540000 So you need to have a log of activities or actions taken. 0:07:41.540000 --> 0:07:47.020000 So, the platform should be able to track actions, decisions, and timelines, 0:07:47.020000 --> 0:07:50.200000 because within your report, your incident response report, you're going 0:07:50.200000 --> 0:07:54.680000 to have a timeline of the incident as well as your response and tools 0:07:54.680000 --> 0:07:58.460000 like the Hive automate this process for you, because analysts just need 0:07:58.460000 --> 0:08:03.000000 to need to fill in within their log that at this time, I did this. 0:08:03.000000 --> 0:08:08.260000 And this is when we completed analysis or investigation, and then it went 0:08:08.260000 --> 0:08:11.980000 to this analyst who handled, you know, containment, or, you know, let's 0:08:11.980000 --> 0:08:17.160000 say there's further analysis of a, you know, a piece of malware, etc. 0:08:17.160000 --> 0:08:19.380000 And then you have reporting and metrics. 0:08:19.380000 --> 0:08:23.340000 So, you know, that goes without saying, you know, good incident management 0:08:23.340000 --> 0:08:26.800000 platform should be able to generate reports for executives compliance 0:08:26.800000 --> 0:08:37.280000 and, of course, said, welcome to the Hive. 0:08:37.280000 --> 0:08:39.000000 So what is the Hive? 0:08:39.000000 --> 0:08:40.820000 This is your first time hearing about it. 0:08:40.820000 --> 0:08:47.280000 The Hive, as its name suggests, or I should say the word Hive suggests 0:08:47.280000 --> 0:08:52.100000 is an open source incident response and case management platform designed 0:08:52.100000 --> 0:08:57.000000 to help socks, sea certs, and incident responders manage and coordinate 0:08:57.000000 --> 0:09:02.440000 the response to security incidents in a structured and collaborative way. 0:09:02.440000 --> 0:09:07.580000 So it gets the name, you know, has the word Hive. 0:09:07.580000 --> 0:09:09.020000 That's not my mistake. 0:09:09.020000 --> 0:09:13.300000 Hive, if you've ever seen a Beehive, you'll see that you have a lot of 0:09:13.300000 --> 0:09:18.480000 bees working together, you know, all on the same thing or the same end 0:09:18.480000 --> 0:09:24.560000 goal in mind. So, you know, just a bit of a silly tangent there. 0:09:24.560000 --> 0:09:27.020000 But, you know, if you're in case you're wondering why it's called the 0:09:27.020000 --> 0:09:32.640000 Hive, that's why, or at least that's my, my understanding of it. 0:09:32.640000 --> 0:09:37.540000 In any case, the Hive acts as a centralized workspace for handling alerts, 0:09:37.540000 --> 0:09:41.860000 tracking investigation tasks, managing evidence or observables, as they 0:09:41.860000 --> 0:09:46.400000 are called within the Hive platform, and, of course, documenting incident 0:09:46.400000 --> 0:09:48.380000 response activities. 0:09:48.380000 --> 0:09:52.340000 It is designed to streamline and standardize incident response workflows, 0:09:52.340000 --> 0:09:57.520000 especially in environments with multiple analysts or high alert volumes. 0:09:57.520000 --> 0:10:02.400000 And, you know, the key features of the Hive pretty much mirror the actual 0:10:02.400000 --> 0:10:06.340000 features of the, of an instant management platform that I listed out in 0:10:06.340000 --> 0:10:07.960000 a previous slide. 0:10:07.960000 --> 0:10:12.800000 So it has alert ingestion, it has excellent case management that converts 0:10:12.800000 --> 0:10:18.160000 alerts into structured cases and contains tasks, observables, and timelines. 0:10:18.160000 --> 0:10:19.700000 You also have task tracking. 0:10:19.700000 --> 0:10:22.720000 So, you know, organize the response process by creating and assigning 0:10:22.720000 --> 0:10:24.780000 investigation tasks. 0:10:24.780000 --> 0:10:28.400000 And then the really cool bit of the Hive that I personally like is the 0:10:28.400000 --> 0:10:30.380000 handling of observables. 0:10:30.380000 --> 0:10:33.580000 So you have the ability to track IOCs individually. 0:10:33.580000 --> 0:10:37.120000 So think of IPs, hashes, and domains. 0:10:37.120000 --> 0:10:40.320000 And then you can use Cortex. 0:10:40.320000 --> 0:10:43.420000 But before we get to Cortex, we have collaboration. 0:10:43.420000 --> 0:10:45.700000 So, you know, you have multi-user support. 0:10:45.700000 --> 0:10:48.420000 You can collaborate on the same case. 0:10:48.420000 --> 0:10:51.400000 And you have, you know, full visibility into actions and notes. 0:10:51.400000 --> 0:10:56.460000 So going back to the observables handling and then analysis of the observables 0:10:56.460000 --> 0:11:00.080000 that you've identified and logged, that's where you have Cortex. 0:11:00.080000 --> 0:11:02.680000 I'll actually explain what Cortex is. 0:11:02.680000 --> 0:11:06.740000 But this is sort of an optional integration created by the same company 0:11:06.740000 --> 0:11:09.280000 that, again, created the Hive. 0:11:09.280000 --> 0:11:13.240000 It's optional integration for automated enrichment, analysis, and response 0:11:13.240000 --> 0:11:19.160000 actions. So what this means with Cortex integrated into the Hive, it gives 0:11:19.160000 --> 0:11:25.820000 you the ability to integrate services for enrichment like, or, and correlation, 0:11:25.820000 --> 0:11:29.920000 like, for example, URL scan as an example. 0:11:29.920000 --> 0:11:37.000000 So, with that functionality available, if I find an IOC, a URL IOC, I 0:11:37.000000 --> 0:11:44.140000 can, you know, create, I can sort of create an observable at the URL there 0:11:44.140000 --> 0:11:48.780000 or just specify then, and I can utilize Cortex to perform an automatic 0:11:48.780000 --> 0:11:57.040000 scan of the observable using, again, a service like URL scan. 0:11:57.040000 --> 0:12:01.080000 And it'll automatically perform the enrichment for me. 0:12:01.080000 --> 0:12:07.580000 So it actually allows you to automatically enrich or analyze at least 0:12:07.580000 --> 0:12:11.180000 at a very basic level, the observables or IOCs. 0:12:11.180000 --> 0:12:12.900000 I'll alternate between the two. 0:12:12.900000 --> 0:12:17.640000 They're essentially referring to the same thing, not always, but generally. 0:12:17.640000 --> 0:12:19.800000 You then have audit logging and reporting. 0:12:19.800000 --> 0:12:23.940000 Again, the Hive is excellent here because it has built-in support for 0:12:23.940000 --> 0:12:28.140000 documentation and case reporting for compliance and reviews. 0:12:28.140000 --> 0:12:37.720000 So let's talk a little this is what makes the Hive great, right? 0:12:37.720000 --> 0:12:42.200000 So firstly, you know, just based on the features of functionality of a 0:12:42.200000 --> 0:12:46.860000 good instant management platform, when we talk about ingestion, you have 0:12:46.860000 --> 0:12:50.040000 the ability to integrate the Hive with seem tools. 0:12:50.040000 --> 0:12:56.460000 So think of Splunk, Elastic or Elkh Qradar, and this allows you to automatically 0:12:56.460000 --> 0:13:00.320000 forward alerts into the Hive as new cases or alerts. 0:13:00.320000 --> 0:13:05.060000 So configure triggers from your seem to say that in the event of this 0:13:05.060000 --> 0:13:09.840000 for them to the Hive, the Hive then catalogs them in a list. 0:13:09.840000 --> 0:13:16.160000 And then analysts or responders can start performing the triage process 0:13:16.160000 --> 0:13:19.160000 usually done by SOCH tier one analyst. 0:13:19.160000 --> 0:13:22.380000 And then they sort of escalated to the responder. 0:13:22.380000 --> 0:13:29.280000 So in the form of a case and subsequent tasks, you then have ticketing 0:13:29.280000 --> 0:13:34.160000 systems. So you can you can, you know, ticketing systems like service 0:13:34.160000 --> 0:13:39.080000 now or JIRA. So you can link instant response cases with ITSM or engineering 0:13:39.080000 --> 0:13:44.260000 workflows. In the case of threat intelligence, examples here are missp 0:13:44.260000 --> 0:13:49.420000 and open CTI. You can actually ingest the latest threat intel and IOCs 0:13:49.420000 --> 0:13:50.620000 to enrich observables. 0:13:50.620000 --> 0:13:54.880000 So again, this may sound cool right now, just wait until you try it out 0:13:54.880000 --> 0:13:58.740000 for yourself. Again, if you haven't used the Hive before, you then have 0:13:58.740000 --> 0:14:03.780000 SOCH or you know, in this particular case examples would be Cortex, which 0:14:03.780000 --> 0:14:10.840000 is actually an example of security orchestration and response. 0:14:10.840000 --> 0:14:14.380000 And you also have the Hive for Pi right over here. 0:14:14.380000 --> 0:14:18.920000 So what this allows you to do is to automate enrichment scanning and containment 0:14:18.920000 --> 0:14:24.640000 actions. And then you have EDRAV. 0:14:24.640000 --> 0:14:26.980000 So examples, CrowdStrike Sentinel 1. 0:14:26.980000 --> 0:14:31.920000 So you can again perform the same ingestion of alerts or response actions 0:14:31.920000 --> 0:14:36.080000 via the Cortex analyzes and then email and phishing analysis examples 0:14:36.080000 --> 0:14:39.440000 here, iMap, email, passes, scripts, etc. 0:14:39.440000 --> 0:14:42.780000 So you can actually create automatically create alerts from phishing reports 0:14:42.780000 --> 0:14:45.420000 sent to a particular inbox, which is really cool. 0:14:45.420000 --> 0:14:47.280000 I've done this myself. 0:14:47.280000 --> 0:14:49.680000 And then chat operations or chat ops. 0:14:49.680000 --> 0:14:53.440000 So in this case, you can actually integrate Slack via webbooks. 0:14:53.440000 --> 0:14:55.780000 Fantastic. That's typically what you see. 0:14:55.780000 --> 0:15:00.460000 But now you'll also see the use of Matamost, especially if it's on-prem 0:15:00.460000 --> 0:15:06.700000 or self hosted. So this allows you to easily notify IR teams of new alerts 0:15:06.700000 --> 0:15:08.520000 or case status changes. 0:15:08.520000 --> 0:15:12.420000 So you'll typically have a Slack channel or the responders will have access 0:15:12.420000 --> 0:15:14.500000 to a Slack channel. 0:15:14.500000 --> 0:15:21.020000 And these cases or alerts into the Hive will automatically, when they 0:15:21.020000 --> 0:15:25.200000 get ingested into the Hive, the Hive will automatically trigger the alerts 0:15:25.200000 --> 0:15:27.140000 on Slack or Matamost. 0:15:27.140000 --> 0:15:31.140000 And the responders actually get notified wherever they are. 0:15:31.140000 --> 0:15:33.660000 So really, really cool stuff there. 0:15:33.660000 --> 0:15:40.000000 We then have Cortex, which is again, just think of it as an integration, 0:15:40.000000 --> 0:15:45.840000 sort of a different component of the Hive that is not required to run 0:15:45.840000 --> 0:15:48.800000 the Hive, but is absolutely fantastic. 0:15:48.800000 --> 0:15:52.080000 And it's always recommended to sort of have them paired together. 0:15:52.080000 --> 0:15:53.340000 And you'll see why. 0:15:53.340000 --> 0:15:58.460000 So what is Cortex, as said, made by the same company that develops or 0:15:58.460000 --> 0:15:59.840000 develop the Hive? 0:15:59.840000 --> 0:16:04.320000 Cortex is the Hive's official analysis and automation engine. 0:16:04.320000 --> 0:16:08.800000 It's a companion application or service, I should say, that is used to 0:16:08.800000 --> 0:16:13.020000 automate the enrichment of observables, also known as IOCs, and perform 0:16:13.020000 --> 0:16:16.440000 response actions directly from within the Hive. 0:16:16.440000 --> 0:16:20.580000 So Cortex acts like the, quote unquote, brains. 0:16:20.580000 --> 0:16:24.520000 And it really is, you'll see why behind the Hive's automation. 0:16:24.520000 --> 0:16:28.940000 What this means is that it gives responders instant context without leaving 0:16:28.940000 --> 0:16:31.740000 the platform, which I already alluded to earlier. 0:16:31.740000 --> 0:16:37.380000 So the fact that I can take a malware, you know, a hash or a URL, or any 0:16:37.380000 --> 0:16:43.500000 type of IOC, and automatically use Cortex to analyze, to perform analysis 0:16:43.500000 --> 0:16:47.000000 and enrichment, you know, I already know what I'm dealing with, like, 0:16:47.000000 --> 0:16:48.480000 relatively quickly. 0:16:48.480000 --> 0:16:53.200000 And then you can perform additional prioritization and triage there. 0:16:53.200000 --> 0:16:57.720000 But, you know, absolutely fantastic service. 0:16:57.720000 --> 0:17:01.800000 So what are some of the capabilities of Cortex? 0:17:01.800000 --> 0:17:04.820000 Well, you have the ability to run analyzes. 0:17:04.820000 --> 0:17:09.500000 Analyzes are these functionalities that allow you to analyze specific 0:17:09.500000 --> 0:17:12.640000 IOCs, like IPs, URLs, or hashes. 0:17:12.640000 --> 0:17:16.280000 That's why the word is pluralized here. 0:17:16.280000 --> 0:17:21.580000 So there are multiple analyzes, one for scanning or enriching IPs, the 0:17:21.580000 --> 0:17:26.520000 other for URLs, the others for hashes, and all different types of IOCs 0:17:26.520000 --> 0:17:28.600000 that you typically encounter. 0:17:28.600000 --> 0:17:32.560000 So it, you know, allows you to run analyzes on observables like, you know, 0:17:32.560000 --> 0:17:36.640000 scan IPs, URLs, hashes, etc. 0:17:36.640000 --> 0:17:40.060000 It allows you to perform automated actions like checking an IP against 0:17:40.060000 --> 0:17:45.080000 virus total or querying MISP if you have integrated MISP into the Hive, 0:17:45.080000 --> 0:17:48.420000 which is makes it an absolute powerhouse. 0:17:48.420000 --> 0:18:01.660000 So you can actually query MISP for set it up right. 0:18:01.660000 --> 0:18:05.800000 I mean, you're, you're, you're shedding or cutting down, you're, you're 0:18:05.800000 --> 0:18:08.740000 making the operation so much more efficient. 0:18:08.740000 --> 0:18:12.500000 And, you know, as we'll progress not just with this course, but other 0:18:12.500000 --> 0:18:16.820000 courses within this learning path, you'll actually see what this ends 0:18:16.820000 --> 0:18:22.320000 up looking like, in any case, continuing on, it also allows it also uses 0:18:22.320000 --> 0:18:24.940000 responders to take real world actions. 0:18:24.940000 --> 0:18:31.440000 So think of it as something similar to Wazoo, Wazoo was, depending on 0:18:31.440000 --> 0:18:36.000000 what you want to call it, the Wazoo seem or Wazoo seem, there's something 0:18:36.000000 --> 0:18:39.140000 called active response or feature called active response that allows you 0:18:39.140000 --> 0:18:45.160000 to define rules, you know, to allow you to define rules for response. 0:18:45.160000 --> 0:18:50.620000 So if a particular condition is met, then there's an automated action 0:18:50.620000 --> 0:18:52.520000 that's taking. So active response. 0:18:52.520000 --> 0:18:58.240000 So let's say you configure rule that if there's 10 failed attempts to 0:18:58.240000 --> 0:19:03.560000 authenticate, you know, via SSH on a particular system, then do the following. 0:19:03.560000 --> 0:19:08.280000 But in any case, you know, users use responders to take real world actions 0:19:08.280000 --> 0:19:13.800000 like block an IP on a particular firewall or notify a system. 0:19:13.800000 --> 0:19:19.000000 So some of the common cortex analyzes our virus total, the standard stuff 0:19:19.000000 --> 0:19:23.640000 you'd expect when we talk about our IOCs or analyzing IOCs, right? 0:19:23.640000 --> 0:19:31.320000 So virus total URL house abuse IPDP sorry, show Dan, MISP, who is our 0:19:31.320000 --> 0:19:35.100000 DAP and senses, these are just, you know, some of the more popular ones. 0:19:35.100000 --> 0:19:39.340000 Obviously, virus total is a game changer, especially if you have a license 0:19:39.340000 --> 0:19:42.200000 and you integrate it, great stuff. 0:19:42.200000 --> 0:19:47.100000 So before we actually end this video and we'll get into using the Hive 0:19:47.100000 --> 0:19:51.180000 in the next video, there's some very important terminology that you need 0:19:51.180000 --> 0:19:54.580000 to be aware of. I've sort of mentioned them, you know, throughout this 0:19:54.580000 --> 0:19:59.420000 video. But firstly, we have an alert now this is the same alert that you 0:19:59.420000 --> 0:20:05.940000 know, this is alert means the same thing within the Hive as it does in 0:20:05.940000 --> 0:20:11.440000 a seem. So in this case, an alert is a security relevant notification 0:20:11.440000 --> 0:20:16.760000 from a seem or an analyst or a tool that you've integrated that may be 0:20:16.760000 --> 0:20:20.080000 escalated into an incident case. 0:20:20.080000 --> 0:20:22.620000 So that begs the question, what is a case? 0:20:22.620000 --> 0:20:27.480000 A case is a formal incident investigation that contains tasks, observables 0:20:27.480000 --> 0:20:33.380000 or IOCs, tags for categorization, severity levels and, you know, analyst 0:20:33.380000 --> 0:20:35.760000 comments or documentation. 0:20:35.760000 --> 0:20:37.560000 You then have a tasks. 0:20:37.560000 --> 0:20:40.900000 So I've actually organized this list hierarchically. 0:20:40.900000 --> 0:20:45.960000 So you have an alert, the alert goes and can become a case if it merits 0:20:45.960000 --> 0:20:49.940000 it. When you have a case, you can create a task under that case. 0:20:49.940000 --> 0:20:53.540000 So a task is a step or action required during the handling of a case. 0:20:53.540000 --> 0:20:58.300000 For example, collect logs or analyze malware or analyze this IOC. 0:20:58.300000 --> 0:20:59.700000 What is an observable? 0:20:59.700000 --> 0:21:04.660000 An observable is any indicator that can be analyzed or enriched. 0:21:04.660000 --> 0:21:09.880000 So think of this, you know, file ash, IP domain, email address, just an 0:21:09.880000 --> 0:21:15.340000 IOC. But it's a bit wider than that or broader than that because not every 0:21:15.340000 --> 0:21:18.740000 observable would be an indicator of compromise. 0:21:18.740000 --> 0:21:23.140000 So, you know, depending on where you're at, you may just want to know 0:21:23.140000 --> 0:21:28.240000 to add or track specific observables that you think might be related to 0:21:28.240000 --> 0:21:33.140000 the compromise or might be an indicator of compromise, but not yet. 0:21:33.140000 --> 0:21:34.040000 Or you're not too sure. 0:21:34.040000 --> 0:21:37.140000 So it actually allows for you to specify that, you know, you've confirmed 0:21:37.140000 --> 0:21:40.720000 this observable as an IOC. 0:21:40.720000 --> 0:21:44.740000 In any case, you then have the tag, which is just a custom label applied 0:21:44.740000 --> 0:21:48.360000 to cases or observables for grouping and filtering. 0:21:48.360000 --> 0:21:51.420000 So you can actually, this is very important because if you have good tag 0:21:51.420000 --> 0:21:56.620000 set up, you can easily find stuff, especially ones that, you know, tasks, 0:21:56.620000 --> 0:22:06.120000 sorry, cases that from the get go, you sort of define the tags that will 0:22:06.120000 --> 0:22:11.880000 be used. But then we have some other terminology that is quite unique 0:22:11.880000 --> 0:22:18.900000 to the Hive, the first of which is has to do with creating cases, but 0:22:18.900000 --> 0:22:22.420000 more specifically tasks and observables. 0:22:22.420000 --> 0:22:26.660000 So when you're creating a task or observable within the Hive, you'll typically 0:22:26.660000 --> 0:22:30.160000 see a field called TLP. 0:22:30.160000 --> 0:22:35.400000 All right. This is an abbreviation of traffic light protocol. 0:22:35.400000 --> 0:22:36.920000 So what is this? 0:22:36.920000 --> 0:22:40.680000 Well, TLP is a standard classification scheme that's used to identify 0:22:40.680000 --> 0:22:44.760000 that's used to indicate how sensitive information is and how it can be 0:22:44.760000 --> 0:22:49.940000 shared. So, because of the collaborative share shared nature of an instant 0:22:49.940000 --> 0:22:52.700000 management platform, the fact that, you know, you're going to be sharing 0:22:52.700000 --> 0:22:57.300000 info with different analysts and among yourselves and all of this, TLP 0:22:57.300000 --> 0:23:01.980000 is very important because as the description here suggests, it allows 0:23:01.980000 --> 0:23:07.340000 you to indicate how sensitive information within a case task or observable 0:23:07.340000 --> 0:23:10.440000 is and how it can be shared. 0:23:10.440000 --> 0:23:14.960000 So, if you set the TLP level for a task, let's say to read, then that 0:23:14.960000 --> 0:23:20.300000 means it's highly sensitive and it's for named recipients only, no further 0:23:20.300000 --> 0:23:22.520000 sharing, very important. 0:23:22.520000 --> 0:23:26.060000 You then have TLP Amber, which means limited sharing within the organization 0:23:26.060000 --> 0:23:30.840000 or community. TLP green can be shared within the cybersecurity community 0:23:30.840000 --> 0:23:33.060000 and then TLP white public. 0:23:33.060000 --> 0:23:34.840000 So no restrictions on distribution. 0:23:34.840000 --> 0:23:46.340000 This is very important because it tells you, you know, whether or not 0:23:46.340000 --> 0:23:49.680000 you can share stuff, that you'll see when creating a task, a case task 0:23:49.680000 --> 0:23:55.340000 or observable. And that is PAP or PAP, which is an abbreviation for permissible 0:23:55.340000 --> 0:23:57.560000 actions protocol. 0:23:57.560000 --> 0:24:02.440000 So PAP is a classification system used to define how information may be 0:24:02.440000 --> 0:24:06.960000 used rather than how it may be shared, which is what TLP governs. 0:24:06.960000 --> 0:24:10.980000 So you have the following PAP level, so white, green, amber, red. 0:24:10.980000 --> 0:24:15.320000 So white means the information can be used freely, including for attribution, 0:24:15.320000 --> 0:24:17.500000 enforcement or public disclosure. 0:24:17.500000 --> 0:24:21.700000 Green means the information may be used within the organization or community, 0:24:21.700000 --> 0:24:26.320000 including for protective actions, but not publicly amber. 0:24:26.320000 --> 0:24:31.480000 The information is more sensitive and may be used internally, but not 0:24:31.480000 --> 0:24:35.040000 disclosed externally or used for attribution without permission. 0:24:35.040000 --> 0:24:38.540000 And then PAP read, the information is highly sensitive and should not 0:24:38.540000 --> 0:24:42.420000 be used for enforcement, attribution or public exposure typically used 0:24:42.420000 --> 0:24:44.120000 for situational awareness only. 0:24:44.120000 --> 0:24:48.360000 Now, what you'll typically see, because this may be confusing to you as 0:24:48.360000 --> 0:24:52.240000 to why would you want to make it freely available. 0:24:52.240000 --> 0:24:58.540000 Generally speaking, the other labels sort of come into play after your 0:24:58.540000 --> 0:25:00.480000 sort of performed analysis. 0:25:00.480000 --> 0:25:06.620000 So whenever you'll be interacting with a case within the hive, and let's 0:25:06.620000 --> 0:25:12.680000 say an analyst has assigned a particular task within a case to you to 0:25:12.680000 --> 0:25:20.000000 perform, let's say, initial analysis of an incident, the PAP and let's 0:25:20.000000 --> 0:25:24.780000 start off with the TLP level, that will typically be labeled as red or 0:25:24.780000 --> 0:25:32.340000 amber. But generally, red, especially during the actual investigation 0:25:32.340000 --> 0:25:37.200000 process, or when the task is still in progress. 0:25:37.200000 --> 0:25:40.160000 And in the case of PAP, that will again be set to red. 0:25:40.160000 --> 0:25:44.880000 So that again, that's not always the case, but it generally means that, 0:25:44.880000 --> 0:25:50.180000 hey, don't share this with anyone yet for your eyes only. 0:25:50.180000 --> 0:25:56.360000 Of course, some organizations have defined their own scheme for both PAP 0:25:56.360000 --> 0:26:01.540000 and TLP. So I'll just be following what I know. 0:26:01.540000 --> 0:26:04.440000 And of course, you can research this more. 0:26:04.440000 --> 0:26:07.580000 But with that being said, that's going to be it for this video. 0:26:07.580000 --> 0:26:10.020000 And I'll be seeing you in the next video.