External communication

TheHive improves external communication and response by automating key processes.

• User-reported phishing alerts are automatically parsed and ingested.
• Alerts from SIEM, EDR and CTI tools are integrated, providing real-time updates.
• Responders take swift action, isolating compromised endpoints and blocking malicious IPs.

A global manufacturing company detects signs of a sophisticated cyber-attack targeting their industry. The group behind the attack is known for targeting critical infrastructure, using advanced techniques to infiltrate and disrupt operations.

The company’s cybersecurity team must quickly improve its security operations to respond effectively and maintain communication with external partners.

1. Mail Intake: The company integrates its various security mailboxes with TheHive, ensuring that user-reported alerts are automatically parsed and ingested. For example, when employees report suspicious emails that could be part of a targeted phishing campaign, these alerts are instantly fed into TheHive, ensuring they are not missed amidst the daily influx of information.
2. Functions: To strengthen its defenses, the company easily integrates alerts from surrounding tools like their SIEM, EDR and CTI services into TheHive. These Functions process data from these external components, allowing the team to receive real-time alerts about potential indicators of the ongoing attack, such as unusual network activity or suspicious files.
3. Responders: Once IOCs are confirmed, the team uses TheHive’s responders to take immediate action. This includes isolating compromised endpoints through their EDR, adding malicious IP addresses and domains to their proxy blocklists, and triggering forensic mechanisms to collect and analyze suspicious files. Automated responses are critical in containing the threat before it can escalate.
4. Notifications: TheHive’s notification system is configured to trigger alerts across various external communication channels whenever specific events occur. For example, when a new alert related to the attack is detected, the system instantly posts updates to the company’s internal communication tools, alerts key stakeholders and triggers their duty mechanisms. That way, all relevant parties are informed and can coordinate a timely response.
5. MISP export: As new IOCs are identified, the team exports them to their MISP instance directly from TheHive.
   This export strengthens the company’s defense by updating threat intelligence feeds and sharing actionable insights with external partners (such as industry peers and governmental agencies), promoting a collaborative defense against the threat.

By integrating external communication channels and automating key response actions, the company significantly enhances its security operations.

TheHive ensures that all alerts are efficiently processed, necessary actions are taken swiftly and critical information is shared with both internal teams and external partners.