SOC Wazuh + TheHive + Cortex + MISP (attaque & défense) mode Red Team - MITM et Blue Team - TLS1.3

In this video, AcadiaCyberSec showcases a SOC in real-world conditions. The goal is to demonstrate the power of a modern SOC… but also the risks when the infrastructure is not properly secured. ━━━━━━━━━━━━━━━━━━ 🔴 PART 1 — VULNERABLE SOC (MITM Attack) ━━━━━━━━━━━━━━━━━━ We deploy a SOC infrastructure composed of: • Wazuh • TheHive (HTTP by default) • Cortex (HTTP by default) • MISP We then simulate a real-world incident: A Linux server attempts to communicate with a malicious public IP address identified by MISP. Real-time SOC workflow: • Automatic case creation in TheHive • Enrichment via Cortex & MISP • Threat correlation • Complete incident visibility BUT… we also show the reality on the ground: TheHive & Cortex platforms run over HTTP → internal MITM attack! We intercept: • SOC administration sessions • Internal communications • Nmap reconnaissance of SOC servers Even a SOC can be vulnerable if it is poorly secured. ━━━━━━━━━━━━━━━━━━ 🟢 PART 2 — SECURE SOC (Zero Trust Architecture) ━━━━━━━━━━━━━━━━━━ We are rebuilding the architecture with enhanced security: • NGINX Reverse Proxy for TheHive, Cortex, and DVWA • 100% HTTPS Infrastructure • Secure communication between all SOC components New incident simulation: An internal server contacts a malicious C2 domain. Detection chain: 1. Wazuh generates an alert 2. TheHive automatically creates a case 3. Cortex enhances the incident 4. MISP confirms the threat 5. Complete analysis in HTTPS SOC is much more resilient and difficult to attack. ━━━━━━━━━━━━━━━━━━ What you will learn: • Modern SOC architecture • Automated Incident Response • Real-time C2 detection • Internal HTTP risks • MITM in SOC networks • Security via Reverse Proxy • Real Blue Team workflow ━━━━━━━━━━━━━━━━━