Admin Guide

intel-db - 2.0.1

Contents

  1. Introduction
  2. User Interface
    1. HTTPS Certificate
    2. HTTPS Port
    3. Authenticated Session Timeout
    4. Disclaimer
    5. Password Complexity
  3. Static Configuration
    1. Kill Chain Values
    2. TLP Values
    3. Indicator Types
    4. Target Types
    5. Signature Types
  4. Operating System Services
  5. Accessing the IntelDB Database

Introduction

This document details subjects related to the administration of the NoSpaceships Ltd IntelDB product (IntelDB).

The IntelDB User Guide documents in detail all aspects of the IntelDB Web User Interface (WebUI), including all sections of the WebUI related to administration.

This document is aimed at product administrators.

User Interface

HTTPS Certificate

The WebUI is available using HTTPS. A default self-signed certificate will be installed following an initial installation. This can be modified post installation, and any change will be retained during any future upgrades.

The HTTPS certificate and key must be PEM formatted. The certificate and key can exist in separate files.

A different certificate can be specified simply by editing the <install>/config/http-server.json file, updating the following options:

"tls": {
	"key": "config/http-server.pem",
	"cert": "config/http-server.pem"
},

Alternatively a different certificate can be copied over the top of the existing <install>/config/http-server.pem file. This will be retained during any future upgrades.

After updating the <install>/config/http-server.json or the <install>/config/http-server.pem file the intel-db-server-http-server service must be restarted.

HTTPS Port

By default following an initial installation the WebUI will be available on TCP port 8000. This can be modified post installation, and any change will be retained during any future upgrades.

A different port can be specified simply by editing the <install>/config/http-server.json file, updating the port option:

"listen": {
	"address": "0.0.0.0",
	"port": 8000
},

After updating the <install>/config/http-server.json file the intel-db-server-http-server service must be restarted.

Authenticated Session Timeout

By default after an initial installation all in-active sessions within the WebUI will expire after 3600 seconds, i.e. 1 hour. This can be modified post installation, and any change will be retained during any future upgrades.

A different value can be specified simply by editing the <install>/config/http-server.json file, updating the following option:

"sessionTimeout": 3600,

After updating the <install>/config/http-server.json file the intel-db-server-http-server service must be restarted.

Disclaimer

The IntelDB Login page will display a disclaimer section. This can be modified post installation, and any change will be retained during any future upgrades.

This can be customized by editing the <install>/config/disclaimer.html file. This file can contain HTML and in-line styles.

After updating the <install>/config/disclaimer.html file the intel-db-server-http-server service must be restarted.

Password Complexity

Users are permitted to change their own password in the IntelDB WebUI. When new users are defined in the IntelDB WebUI administrators must specify a password. In both cases the password must meet the configured password complexity requirements.

This is configured in the <install>/config/http-server.json file, under the validatePasswordRegex attribute, for example:

"validatePasswordRegex": "^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*[!@#\\$%\\^&\\*])(?=.{8,})"

By default, the configured regex requires:

  • Contain at least 1 upper case letter
  • Contain at least 1 lower case letter
  • Contain at least 1 number
  • Contain at least 1 of the following characters: !@#$%^&*
  • Be at least 8 characters long

Administrators can modify this regular expression to restrict the requirements further simply by editing this attribute.

After updating the <install>/config/http-server.json file the intel-db-server-http-server service must be restarted.

NOTE Modifying this attribute will not affect existing passwords.

Static Configuration

Kill Chain Values

A cyber kill chain is used as a way to manage and improve security. It defines the phases through which threats must move. Organizations can utilise their security portfolio to address each stage of a kill chain.

By default, the IntelDB uses the intrusions kill chain, which is defined as follows (quoted from Wikipedia):

  • Reconnaissance - Intruder selects target, researches it, and attempts to identify vulnerabilities in the target network.
  • Weaponization - Intruder creates remote access malware weapon, such as a virus or worm, tailored to one or more vulnerabilities.
  • Delivery - Intruder transmits weapon to target (e.g., via e-mail attachments, websites or USB drives).
  • Exploitation - Malware weapon’s program code triggers, which takes action on target network to exploit vulnerability.
  • Installation - Malware weapon installs access point (e.g., “backdoor”) usable by intruder.
  • Command and Control - Malware enables intruder to have “hands on the keyboard” persistent access to target network.
  • Actions on Objective - Intruder takes action to achieve their goals, such as data exfiltration, data destruction, or encryption for ransom.

Some organizations may utilise a different kill chain, and may add extra values as required. The IntelDB permits adding/removing what kill chain values are available.

To add/remove a specific kill chain value edit the <install>/config/constants.json file. Under the killChainValues attribute all current values will be defined, for example:

"killChainValues": [
	{
		"name": "Reconnaissance"
	},
	...
]

When kill chain values are displayed in the WebUI they will be ordered as they are defined here.

After updating the <install>/config/constants.json file the intel-db-server-http-server service must be restarted.

NOTE Removing a kill chain value from this file will not affect existing data.

TLP Values

The Traffic Light Protocol (TLP) helps to identify the rules associated with the sharing of any specific piece of information.

The TLP defines four colours and an assocaited scope for sharing, for example (some of the text here quotes Wikipedia):

  • WHITE - Unlimited, e.g. information may be distributed freely without restriction
  • GREEN - Community wide, e.g. may be circulated widely within a particular community
  • AMBER - Limited distribution, e.g. may be shared with others within an organization but on a “need-to-know” basis
  • RED - Personal, e.g. for named recipients only

Some organizations may operate with different levels of intelligence sharing, and may add extra levels as required. The IntelDB permits adding/removing what TLP levels are available.

To add/remove a specific TLP level edit the <install>/config/constants.json file. Under the tlpValues attribute all current values will be defined, for example:

"tlpValues": [
	{
		"name": "WHITE",
		"style": {"color": "#fff", "background-color": "#000"}
	},
	...
]

When TLP values are displayed in the WebUI they will be ordered as they are defined here. Additionally, when determining which TLP value takes precedence over another, a TLP value defined defined before another in this file will take precedence.

For example, when adding an indicator via the WebUI, if the indicator already exists, and has the TLP value RED already assigned, and the new value was specified as WHITE, after the new indicator is merged into the existing indicator the TLP value will then be WHITE. This is because by default WHITE is defined before RED in this file.

Various parts of the WebUI will display the TLP value as a label, e.g. under the Indicators page. The style attribute is used to style these labels for a particular TLP value.

After updating the <install>/config/constants.json file the intel-db-server-http-server service must be restarted.

NOTE Removing a value from this file will not affect existing data.

Indicator Types

When adding indicators an indicator type must be specified. For example, the indicator type “IPv4 Address” or “MD5”.

Overtime an organization may wish to add to the list of available indicator types. The IntelDB permits adding/removing what indicator types are available.

To add/remove indicator types edit the <install>/config/constants.json file. Under the indicatorValueTypes attribute all current indicator types will be defined, for example:

"indicatorValueTypes": [
	{
		"name": "Domain"
	},
	{
		"name": "Email Address",
		"schema": {
			"type": "string",
			"format": "email"
		}
	},
	...
	{
		"name": "MD5",
		"schema": {
			"type": "string",
			"pattern": "^[a-fA-f0-9]{32}$"
		}
	},
	...
]

When indicator types are displayed in the WebUI they will be ordered as they are defined here.

When adding/editing indicators their values will be validated depending on the indicator types configuration.

In the above snippet, the Domain indicator type only requires the indicators value be present and be at least 1 character in length. The Email Address indicator type, however, requires the indicators value be a valid email address.

For an indicator type the schema attribute is optional, and if present defines a JSON schema snippet to validate the indicators value if the corresponding indicator type was specified.

The IntelDB uses the Ajv JSON validator to validate the schema snippets specified for indicator types against indicator values. Refer to the Ajv formats documentation to understand what built-in formats are supported, and to the JSON schema documentation to understand the JSON schema format.

After updating the <install>/config/constants.json file the intel-db-server-http-server service must be restarted.

NOTE Removing a indicator type from this file will not affect existing data.

Target Types

When adding targets a target type must be specified. For example, the target type “Host” or “User”.

Overtime an organization may wish to add to the list of available target types. The IntelDB permits adding/removing what target types are available.

To add/remove target types edit the <install>/config/constants.json file. Under the targetValueTypes attribute all current target types will be defined, for example:

"targetValueTypes": [
	{
		"name": "Host",
		"schema": {
			"type": "string",
			"minLength": 1
		}
	},
	...
]

When target types are displayed in the WebUI they will be ordered as they are defined here.

When adding/editing targets their values will be validated depending on the target types configuration.

In the above snippet, the User target type only requires the targets value be present and be at least 1 character in length.

For a target type the schema attribute is optional, and if present defines a JSON schema snippet to validate the targets value if the corresponding target type was specified.

The IntelDB uses the Ajv JSON validator to validate the schema snippets specified for target types against target values. Refer to the Ajv formats documentation to understand what built-in formats are supported, and to the JSON schema documentation to understand the JSON schema format.

After updating the <install>/config/constants.json file the intel-db-server-http-server service must be restarted.

NOTE Removing a target type from this file will not affect existing data.

Signature Types

When adding signatures a signature type must be specified. For example, the signature type “yara” or “generic”.

Overtime an organization may wish to add to the list of available signature types. The IntelDB permits adding/removing what signature types are available.

To add/remove signature types edit the <install>/config/constants.json file. Under the signatureValueTypes attribute all current signature types will be defined, for example:

"signatureValueTypes": [
	{
		"name": "generic"
	},
	{
		"name": "yara"
	}
]

When signature types are displayed in the WebUI they will be ordered as they are defined here.

After updating the <install>/config/constants.json file the intel-db-server-http-server service must be restarted.

NOTE Removing a signature type from this file will not affect existing data.

Operating System Services

The following operating system services will be installed and started following an installation of IntelDB:

  • intel-db-server-http-server - HTTP server providing the WebUI
  • intel-db-server-mongod - MongoDB database server, this is used for persistence storage of all data

Operating system services can be managed using the systems service command, or the start/stop scripts directly. For example the following two commands are effectively the same:

service intel-db-server-http-server start

/etc/init.d/intel-db-server-http-server start

All services accept the start, stop, status and restart commands. For the status command the return code of the program can be checked, e.g.:

# No output will be displayed
service intel-db-server-mongod status

# This will print 0 if the service is running, otherwise 1
echo $?

Accessing the IntelDB Database

The MongoDB database is used for persistence storage of all data. The MongoDB client is provided with the application for support and troubleshooting.

MongoDB is secured with a MongoDB username/password and TLS. The user for the MongoDB connection will be “admin” and the password can be found in the <install>/config/http-server.json file. The password can be found in the following part of this configuration file:

"mongodb": {
	"url": "mongodb://admin:password@127.0.0.1:7999/app?authSource=admin&ssl=true",
	...
},

The password field will be a 32 character hexadecimal string. Once this has been obtained run the following command to connect to MongoDB (this will connect to a local instance):

cd <install>

./mongo --port 7999 --ssl --sslAllowInvalidCertificates

> use admin
> db.auth("admin", "password")
> use app

This will then allow execution of MongoDB commands:

> db.version()
> db.hostInfo()