This integration is focusing on the automated threat intelligence collection with McAfee ATD, OpenDXL and MISP. McAfee Advanced Threat Defense (ATD) will produce local threat intelligence that will be pushed via DXL. An OpenDXL wrapper will subscribe and parse indicators ATD produced and will import indicators into a threat intelligence management platform (MISP).

McAfee Advanced Threat Defense (ATD) is a malware analytics solution combining signatures and behavioral analysis techniques to rapidly identify malicious content and provides local threat intelligence. ATD exports IOC data in STIX format in several ways including the DXL. https://www.mcafee.com/in/products/advanced-threat-defense.aspx

MISP threat sharing platform is free and open source software helping information sharing of threat and cyber security indicators. https://github.com/MISP/MISP

Download the Latest Release

• Extract the release .zip file

MISP platform installation (Link) (tested with MISP 2.4.70)

PyMISP library installation (Link) or install dependencies using the requirements.txt file as mentioned below.

OpenDXL Python installation

1. Python SDK Installation (Link) Install the required dependencies with the requirements.txt file:

   $ pip install -r requirements.txt

   This will install the dxlclient, and pymisp modules.
2. Certificate Files Creation (Link)
3. ePO Certificate Authority (CA) Import (Link)
4. ePO Broker Certificates Export (Link)

McAfee ATD solution (tested with ATD 3.8)

McAfee ATD receives files from multiple sensors like Endpoints, Web Gateways, Network IPS or via Rest API. ATD will perform malware analytics and produce local threat intelligence. After an analysis every indicator of comprise will be published via the Data Exchange Layer (topic: /mcafee/event/atd/file/report).

The atd_subscriber.py receives DXL messages from ATD, prepares the JSON and loads misp.py.

Change the CONFIG_FILE path in the atd_subscriber.py file

CONFIG_FILE = "/path/to/config/file"

The misp.py script receives the JSON messages and parses IOCs and uses the Python API from MISP (PyMISP) to create a new threat event, add atributes and asign a tag.

Change the misp_url and misp_key

misp_url = 'https://misp-url.com/

misp_key = 'auth-key'

The MISP auth key can be found under the automation section in MISP.

Change the tag assignment in line 133

misp.add_tag(event, str("ATD:Report"))

Make sure that you added the tag in MISP already.

python atd_subscriber.py

or

nohup python atd_subscriber.py &

With this use case, ATD produces local intelligence and contributes information to an intelligence management platform like MISP. MISP is able to combine global, community and locally produced intelligence.