How Thales CERT fights typo-squatting with TheHive
Finding the best fit in a distributed landscape
Thales Group is a global company with operations in 68 countries and annual revenues of €18.4 billion. It produces high technological solutions, services and products for defense and security, aerospace and space, cybersecurity and digital identity.
With more than 81,000 employees on five continents, Thales has many cybersecurity teams worldwide that need to collaborate and deliver high-standard security. They struggled for a while, though, to find a tool capable of automating workflows, convenient ticketing, following up on incidents and sharing information across their distributed network.
Existing SOAR platforms were not suitable for their usage. RTIR did not make their jobs much easier, either. Eventually, they started using TheHive 4 for its advanced case management capabilities.
This turned out to be a game-changer. They decided to go further and fully migrate to the newest version of TheHive to build optimized workflows for their most relevant scenarios. One of them was monitoring and taking down typo-squatted domains, which is a part of fraud prevention, a popular service by Thales.
“By automating repetitive steps with TheHive, our cybersecurity teams have sped up many of their tasks from 20-25 minutes to zero clicks. Observable verification now takes just a few clicks instead of several minutes. Standardizing processes via templates saves a lot of time, too,” says Audeline, Cybersecurity Incident Handler at Thales.
Tackling typo-squatting with TheHive
Typo-squatting in cybersecurity is like corporate identity fraud but via faking domains. A typo-squatter creates a full copy of an official domain. The only difference: the fake one will have an almost unnoticeable typo in its name.
The risks of being typo-squatted are countless. For example, a scammer can use a fake domain to create an email address. With this email, the fraudster could impersonate an employee, usually a C-level, and try to steal money (e.g. the president scam). This could also be used to request access to sensitive data or systems.
The fraudster can also make expensive orders as a fake employee, typo-squatting the victim’s brand reputation and the suppliers’ finances. To help themselves and their clients deal with this threat, Thales CERT’s analysts built a dedicated workflow featuring TheHive. In it, StrangeBee's Case Management Platform plays an essential managing and orchestrating role.
1. A homemade script, working together with a domain-checking solution, continuously monitors for the availability of typo-squatted domains. When one becomes available, the script automatically purchases it. This prevents scammers from buying or renewing it and running malicious activities pretending to act on behalf of the original company.
2. When a new domain is purchased, TheHive receives an alert. This triggers a Node-RED workflow that inspects the domain redirects against multiple services (e.g., Lookyloo & VirusTotal).
3. Finally, thanks to TheHive’s correlation feature, analysts can check if this domain has been spotted in past cases or alerts:
- If TheHive detects the newly acquired typo-squatted domain is related to any of past cases, the alert and the case are merged. The system posts a comment and notifies the case owner.
- If no corresponding case is found, TheHive creates a new one to assign to a group of analysts. It then notifies these analysts so they can start investigating using the platform’s dedicated features.
Efficiency, integration, transparency
Thanks to TheHive, dealing with typo-squatting at Thales is now much more efficient and transparent.
Now, the company’s analysts can not only speed up their work by automating routine steps of the workflow but also adapt the whole process of case management and incident response to their needs.
TheHive’s versatile API allowed to easily integrate with Thales’ internal and external stack. Connecting the platform to 3rd parties, Node-RED and other software ensured smooth data flow and centralized alert management. The analysts can also use custom messaging solutions and emails for convenient communication and fast notification and connect to MISP to share IOCs.
The transparency of TheHive is reinforced by convenient dashboards. Templates for cases, tasks and reports help save time and effort, as well as standardize incident handling.
Collaboration, customization, automation
Leveraging the multi-tenancy and collaboration features, Thales CERT enabled automated but controlled information sharing between its distributed security teams, including the core team and hundreds of regional Cybersecurity Champions. All the participants can now easily assign and manage incident response tasks individually and collectively, add comments and attach files for others to see.
Multi-tenancy also allowed to customize TheHive and Cortex (the “brain” engine working with it) for Thales’ particular requirements. They created several dozen organizations for teams inside the platform. Each of them picked different Cortex instances according to their needs:
- As observable analyzers, they chose from VirusTotal, AbuseIPDB, domain analyzers, partner verification or QR code decoder, and successfully integrated custom analyzers such as employee verification.
- As responders, they developed their own: domain purchases, device isolation via EDR, adding comments and feeding Collections on VirusTotal, sending awareness emails, certificate revocation and password resets.
Analysts can create new analyzers and responders via Cortex if needed and automate analysis and response to save time. The engine can be configured to analyze up to hundreds of observables at once by itself and to automatically tackle uncovered threats.
The results and future plans with TheHive
TheHive has allowed Thales CERT’s analysts to work faster, more conveniently and effectively.
“It has ensured transparency, easy collaboration and data sharing for teams worldwide. An ongoing project to automate the communications between them is now underway,” says Lenaic, Cybersecurity Incident Handler at Thales who played a major role in building the new workflows featuring TheHive.
The company aims to develop the domain typo-squatting scenario further. It has also developed a standard workflow that can be built upon and a workflow for automatically handling partner alerts.
In the future, Thales is considering using TheHive for other projects, such as email security.
Moreover, the company would like to integrate a major strategic division into TheHive to create automatic alerts in case of a partner’s compromise.
“We have been using TheHive for almost 2 years, and we plan to continue working with this platform. StrangeBee’s support is always ready to assist with resolving issues and helping with configuration. We are so looking forward to continuing this exciting journey together,” says Audeline.
“TheHive and Cortex framework has significantly enhanced our team's efficiency and effectiveness in incident investigations. By automating repetitive and low-value tasks, our engineers can focus on strategic aspects of their work and release their expertise on technical parts. This has led to substantial time savings and improved organization; this provides a comprehensive view of investigations, making it easier for managers and coordinators to oversee operations. The flexibility of the automation features allows the team to tailor the system to our specific needs as we continue to develop our processes. Additional features such as automatic observables processing, timeline functionality and automated report generation further contribute to the framework's value and our team's confidence in its long-term use,” shares Julien Mongenet, Head of Thales CERT & PSIRT.