Traditional commercial Endpoint Detection and Response (EDR) solutions, while effective, often come with prohibitive costs and inflexible frameworks that may not cater to all organizational needs. This has led to an increasing shift towards innovative, homegrown cybersecurity solutions by many hobbyists and commercial users alike.
A prime example of this shift in my life is my development of an attempt at an EDR system using Wazuh, TheHive, and MISP, integrated into a cohesive framework that leverages the power of open-source technology. This solution, engineered from the ground up, not only challenged me, but in fact proposes a question on the efficacy of commercial products against solutions that are capable of doing the same but do so at a fraction of the cost, while offering heightened flexibility and adaptability.
This paper explores an approach to substituting EDR, wherein key open-source tools — Wazuh for monitoring and alerting, TheHive for incident response, and MISP for threat intelligence — are seamlessly integrated. This integration is enhanced by the automation capabilities of ThreatIngestor, an opensource tool designed to enrich the threat intelligence process by automating the ingestion of indicators of compromise (IOCs) from a variety of sources like Twitter, Blogs, RSS feeds, etc.
The proposed cybersecurity solution integrates three key open-source tools — Wazuh, TheHive, and MISP — into a cohesive system designed to detect, manage, and respond to security incidents. This section delves into the specifics of how these components are configured and work together to provide a robust endpoint detection and response platform.
The project comprises several Python files each serving a distinct role:
.env file, which includes the API URLs and keys for TheHive and MISP, as well as SSL certification settings for MISP.The system is designed to receive JSON data via a webhook, typically sent by Wazuh when it detects a potential threat. The routes.py file defines an endpoint that accepts these POST requests. Upon receiving a request, the JSON data is extracted and transformed into a flat dictionary using recursive functions defined in utils.py. This data is then used to generate a unique alert ID if not already provided.
After preprocessing the data, thehive.py is invoked to construct an alert object using data such as the severity of the alert and various fields extracted from the JSON. TheHive API is then used to create an alert in the TheHive system. The alert includes details such as hostname, source and destination IPs, and other pertinent information. Each alert can have artifacts associated with it, which are also generated based on the extracted data, excluding specific keys that are not relevant to the artifacts.
Concurrently, the misp.py module uses the hash values extracted from the alert data to search for matches in MISP. This is crucial for identifying if the hashes related to the alert have been observed in other incidents or are known to be associated with malicious activities. The search results can trigger additional actions, such as the creation of a detailed case in TheHive, should any matches be found.
If hashes from the alert are found in MISP, thehive.py proceeds to create a detailed case based on the alert. This case includes comprehensive descriptions and all the observables associated with the alert, enhancing the investigation capabilities within TheHive. Each case also tags and categorizes the incident for easy tracking and reference.
A key enhancement in the threat intelligence capability of this solution is the integration of ThreatIngestor. This tool is configured to automatically monitor and extract IOCs from configured sources, significantly expanding MISP’s utility by keeping its threat data current and comprehensive. This integration not only automates a crucial aspect of threat intelligence but also ensures that the data is relevant, timely, and actionable.
Critical to the operation of this EDR solution is the configuration of Wazuh to send webhook notifications. This is accomplished by modifying the ossec.conf file to include a custom webhook integration that directs alerts to the Flask application. The configuration specifics ensure that alerts of a certain severity are pushed to the system, where they are immediately processed, showcasing the system's capability to handle real-time threat data efficiently.
<span><span><<span>integration</span>></span><br> <span><<span>name</span>></span>custom-webhook<span></<span>name</span>></span><br> <span><<span>hook_url</span>></span>http://<span><<span>your_flask_server_ip</span>></span>:<span><<span>port</span>></span>/webhook<span></<span>hook_url</span>></span><br> <span><<span>alert_format</span>></span>json<span></<span>alert_format</span>></span><br> <span><<span>level</span>></span>3<span></<span>level</span>></span><br><span></<span>integration</span>></span></span>
This setup not only exemplifies the integration of Wazuh within the broader EDR framework but also highlights the system’s flexibility in configuring operational parameters to match specific security policies.
The operational flow of the system begins when Wazuh detects an event that triggers an alert. This alert is formatted as a JSON object and sent to the Flask application via the configured webhook. Upon receipt, the JSON data is parsed and processed to extract relevant information, which is then used to create detailed alerts and cases within TheHive. Concurrently, hash values extracted from the alert are used to search for related IOCs in MISP, further enriching the context of the incident being managed.
In the development of this comprehensive EDR solution, a deliberate decision was made to utilize direct API programming rather than adopting popular automation frameworks such as Shuffle, which is what is currently recommended (YouTube). This choice stemmed from a detailed evaluation of the operational requirements and the need for a high-performance, adaptable system.
Rationale Behind the Decision
Looking ahead, SecOrc plans to integrate additional tools to broaden its detection and response capabilities:
In this paper, I have detailed the architecture and implementation of an integrated Endpoint Detection and Response (EDR) system utilizing Wazuh, TheHive, and MISP — three formidable open-source tools. This solution aims to offer a flexible, cost-effective alternative to traditional commercial EDR systems, with a strong emphasis on adaptability and customization through direct API integration and a user-centric operational model. However, it’s crucial to note that this system is still in the experimental phase.
The actual efficacy and performance of this open-source EDR solution, compared to its commercial counterparts, have yet to be fully tested. Key aspects such as scalability, security, user-friendliness, and compliance with legal standards require extensive validation across various real-world scenarios. Moreover, my future plans for integrating tools like Velociraptor, YARA, and ClamAV are designed to enhance the solution’s capabilities and will also need rigorous evaluation to determine their impact on the overall system performance and reliability.
Going forward, my focus will be on conducting comprehensive testing and collecting detailed feedback from initial deployments. This will involve stress-testing the system under diverse network conditions, benchmarking its performance against leading commercial solutions, and refining its functionality based on user feedback and the evolving landscape of cybersecurity threats. By undertaking these steps, I aim not only to validate but also to refine my solution to ensure that it meets the rigorous demands of modern cybersecurity environments and proves itself as a viable alternative to commercial EDR systems. The journey towards a fully validated open-source EDR solution is both challenging and exciting, and I am committed to advancing this project to potentially set a new standard in the cybersecurity field.