The ATD device is a sandboxing technology that can generate Indicators of Compromises, IOCs, and is able to pass that information over to the McAfee ESM. After the IOC is passed to the McAfee ESM, you can use the Cyber Threat Manager to view its details. These can be used to detect future attacks and assist in incident response or forensics.
Okay, let’s get started.
On our McAfee ESM box, select the receiver that you wish to add your ATD data source. Click on the Add Data Source icon at the top. For the Data Source Vendor, select McAfee and the Data Source Model, select the Advanced Threat Defense.
Enter any name to identify your ATD device and the ip address of the device. Also, enter 32 for the mask and set the correct time zone for the ATD device. After that’s all set, go ahead and click on the OK button.
After you click okay, it will ask if you would like to add the Advanced Threat Detection as a cyber threat feed source. A cyber threat feed source is an automatic way to provide the McAfee ESM with IOCs that were generated by the ATD. The McAfee ESM allows you to view and managed these IOCs with the Cyber Threat Manager dashboard which we’ll take a look at in a little bit. Go ahead and click Yes.
This will open up the Cyber Threat feed wizard. Enter a name for the feed, something like ATD IOC, and click next.
On the next screen, enter your ATD username and password and click Connect to test your settings. If that’s successful, click next . We’re putting the ATD credentials here so that when the McAfee ESM receives an event from ATD that identifies a convicted file, it will be able to automatically reach into ATD and download any new IOCs associated with the newly identified threat.
On the watchlist tab, we can have the IOC automatically populate one or more watchlists. For example, we can add any MD5 hash that has been found in the ATD IOC to a watchlist of malicious MD5 Hashes. You’ll need to select File_Hash as the watchlist type. With this watchlist, you can created a correlation rule that will generate an alert when this file hash is detected in the future. This is optional so if you don’t have a use for these yet, you can just skip this step and click next. You can always go back and modify this section later.
The final tab allows you to configure Backtrace. Backtrace will automatically detect if elements of this IOC has been detected in the past and you can have it generate an alarm when there is a match.
After you’re done, click on Finish. On the next screen, it’ll ask you to apply the settings to the receiver so just click Yes.
Next, we’ll want to enable the ATD off-box syslog and send it to the McAfee ESM. Go ahead and log into your ATD box.
After you’ve logged in, click on the Manage icon and select the Syslog Setting from the menu on the left. Go ahead and enable the Off-Box system log. Enter the ip address for your McAfee Receiver and use port 514 with TCP as the transport protocol. Test the connection to make sure that it tells you that the connection was successful.
If the test is successful, enable the Analysis Results for Medium to Very High. Otherwise it will send over all events, even ones that you probably aren’t concerned about.
After that’s all set, click Submit to save your settings.
Now that you’re ATD is set up, you can just send a sample file to test your ATD box. You can manually upload a file in the Analysis section of ATD. It’ll just take a short while for ATD to analyze your file. After the analysis is complete, McAfee ESM will received the results.
You can see the event that the ATD sent to the McAfee ESM with the events dashboard. This will show you the event information.
In addition, you can view the IOC details in the Cyber Threat Indicators dashboard which can be access that with the icon in the far right.
In this dashboard, we can see a list of IOCs that have been sent to your McAfee ESM. We can select an IOC and in the section below, it will show a description, the details, the source events, and the source flows if those exist. It’ll also show if there are any hits with the Backtrace feature.
So there we have it. It’s pretty simple to add ATD to the McAfee ESM and start getting valuable data such as Indicators of Compromise.