The Cyber Threat Manager allows the McAfee ESM to receive and parse Indicators of Compromise, or IOCs, and display them in the dashboards. There are various ways to pass the McAfee ESM IOCs, from STIX files or Mcafee's own ATD devices, but one of the best ways is to receive a TAXII feed. It can be automated and that's always nice.
First, let’s talk a little about IOC files. These are structured files are difficult for people to read, but they contain a lot of information about potential threats. IOCs can provide things such as ip addresses of bad destinations or URLs of malicious sites. Even though we might have a hard time reading the raw IOCs, the McAfee ESM can parse them and show them to us in a friendly format.
Setting up the TAXII Feed
We’re going to set up a TAXII feed with hailataxii.com and set it up to send us the latest IOCs within its repository automatically.
Let’s get started. To set up a threat feed, click on the left top menu and select System Properties.
Select Cyber Threat Feeds
Click on the Add button and that will bring up the Cyber Threat Feed Wizard
The first step is to name the feed. You can call it anything you’d like, so I’m just going to call my feed hailataxii and click Next.
On this screen, this is where I’m going to select where I pull my feed. When I click on the dropdown for the type, I have many options available. Most of these options allow me to retrieve a file from a remote location such as sftp or from an nfs share. We can also pull the IOC from a McAfee ATD.
We’re going to add the hailataxii feed. Select the TAXII from the dropdown.
Then enter http://hailataxii.com/taxii-discovery-service as the URL
Select the radio button next to POST and enter guest.dataForLast_7daysOnly in the Collection Name
Click on the Connect button to validate your settings
On the watchlist tab, we can have the IOC automatically populate one or more watchlists. For example, we can add any File Hashes that has been found in an IOC to a watchlist of malicious MD5 Hashes . You’ll need to select File_Hash as the watchlist type. With this watchlist, you can use it to create reports, filters, or correlations rules that will automatically generate an alert when this file hash is detected in the future. We’ll put the items identified by the TAXII feed into a watchlist for malicious URLs.
I'm going to select the URL field and then create a watchlist for these URLs. I’ll just click on the Create New Watchlist button.
On the next screen I'll name the Watchlist and click next under the Main tab.
Now I just need to select my newly created watchlist from the dropdown.
The final tab allows you to configure Backtrace. Backtrace will automatically detect if this IOC has been detected in the past and you can have it generate an alarm when there is a match.
Now that we have our Cyber Threat Feed created for hailataxii, we can click the retrieve button to start pulling IOCs.
Using the IOC Data
I can now view the IOCs in the McAfee ESM interface by clicking on the Cyber Threat Indicators button in the top right. That will bring me to the Cyber Threat Dashboard. I can see the Indicator Name, the Feed that provided the IOC, the date received, and the Backtrace Hit Count, which is the number of times the indicator has been seen the in the past. I can also download the IOC from the McAfee ESM with the download link.
At the bottom, I also have a row of tabs that can be used to view various details of the IOC.
In the description tab, I can see a description that was provided with the IOC.
In the Details tab, I can see the parsed IOC data. This will show you things like file names, hashes, and ip addresses that make up the IOC. This tab has taken all that difficult to read data and put it in an organized format
The source events tab are events that have attributed that matched up with details of the IOC and were found with the Backtrace feature. I can view the events and see details of why a system might have trigger a Backtrace hit.
Finally, the Source Flows tab would be network flows that were found with Backtrace.
I can also take a look at the watchlist that I had created. When I go to the watchlist section in the Configuration menu, I can select my watchlist and see the contents. These will be automatically updated when the feed does a scheduled pull. With this watchlist, you can use these for correlation rules and other alarms.
So, that’s a quick overview of the Cyber Threat Manager in the McAfee ESM. With the ability to parse IOCs and provide that intelligence to detect historical detection as well as the ability to add IOC data to watchlists, this is a powerful tool to find that specific needle in a haystack.