The Cyber Threat Manager allows the McAfee ESM to receive and parse Indicators of Compromise, or IOCs, and display them in the dashboards.
First, let’s talk a little about IOC files. These files are difficult for people to read, but they contain a lot of information about potential threats. IOCs can provide things such as ip addresses of bad destinations or hashes of malicious files. Even though we might have a hard time reading the raw files, the McAfee ESM can parse them and show them to us in a friendly format.
Okay, let’s get started. To set up a threat feed, click on the System Properties and then select the Cyber Threat Feeds section.
Click on the Add button and that will bring up the Cyber Threat Feed Wizard.
The first step is to name the feed. You can call it anything you’d like, so I’m just going to call my feed McAfee Threat Feed and click Next.
On this screen, this is where I’m going to select where I pull my feed. When I click on the dropdown for the type, I have many options available. Most of these options allow me to retrieve a file from a remote location such as sftp or from an nfs share. Also, we can pull the IOC from a McAfee ATD device as well as from a TAXII service.
For simplicity, I’m just going to set up a manual feed where I have to upload a file, but you can configure the remote connection if you have one available.
On the watchlist tab, we can have the IOC automatically populate one or more watchlists. For example, we can add any File Hashes that has been found in an IOC to a watchlist of malicious MD5 Hashes. You’ll need to select File_Hash as the watchlist type. With this watchlist, you can use it to create reports, filters, or correlations rules that will automatically generate an alert when this file hash is detected in the future. This is optional so if you don’t have a use for these yet, you can just skip this step and click next. You can always go back and modify this section later.
The final tab allows you to configure Backtrace. Backtrace will automatically detect if this IOC has been detected in the past and you can have it generate an alarm when there is a match.
Now that we have your Cyber Threat Feed created, we can feed it an IOC file. I am going to upload a sample file by clicking on Upload, and then selecting the sample file.
After I’ve uploaded the file, I can view them by clicking on the Cyber Threat Indicators button in the top right. That will bring me to the Cyber Threat Dashboards.
Here, I can see the IOCs that have been sent to the McAfee ESM. I can see the Indicator Name, the Feed that provided the IOC, the date received, and the Backtrace Hit Count, which is the number of times the indicator has been seen the in the past. I can also download the IOC from the McAfee ESM with the download link.
At the bottom, I also have a row of tabs that can be used to view various details of the IOC.
In the description tab, I can see a description that was provided with the IOC.
In the Details tab, I can see the parsed IOC data. This will show you things like file names, hashes, and ip addresses that make up the IOC. This tab has taken all that difficult to read data and put it in an organized format
The source events tab are events that have attributed that matched up with details of the IOC and were found with the Backtrace feature. I can view the events and see details of why a system might have trigger a Backtrace hit.
Finally, the Source Flows tab would be network flows that were found with Backtrace.
So, that’s a quick overview of the Cyber Threat Manager in the McAfee ESM. With the ability to parse IOCs and provide that intelligence to detect historical detection as well as the ability to add IOC data to watchlists, this is a powerful tool to find that specific needle in a haystack.