Web Gateway integration into Threat Intelligence Exchange and Advanced Threat Defense - some hints.
In an environment, where thounsands of requests/responses are present, some important things you should think about it.
Just one question: If there are 4500 request/second occuring at a company, how this can be an impact when integrating TIE and ATD?
- EPO and TIE environment
- MWG is connected to DXL
- ATD is functioning
Goal: Smooth integration into TIE and ATD
- TIE is queried only for the right files.
- Only specific files are uploaded to ATD.
- No multiple uploads and queries to prevent overload on TIE/ATD.
At the moment, TIE only supports executables (default installation and no tweaks in config files). Therefore the rulesets are only active for executables. Feel free to modify the rules in the future when ATD/TIE are also supporting office documents and so on.
- The debug Log Files can be used to extend the Ruleset as needed.
Integration into TIE
What should be avoided when using TIE.
- Queries where no file name is available.
- TIE queries only for executable code.
- Wrong TIE queries are generating "empthy" entries in the TIE database.
- Overload in TIE
Also when installing a POC, entries in the TIE database with no file infos, are useless and not really pretty. Also, if you click on "where has file run" under TIE Reputations, you just see an GUID, and not a system name.
TIE Server is only queried if the downloaded file is not an archive, and it is an executable and it´s no composite object.
No Query to TIE is the Url.body file name is empthy.
No Query if the file is not an executable (duplicate rule, just for testing)
Debug LOG for TIE requests (File is written for Debugging the Request. You can figure out how the properties are filled when querying the TIE server)
No query if the file is not supported in TIE.
Block on TIE Reputation.
Log file entry example
Integration into ATD
What should be avoided when using ATD.
- Files should not be uploaded several times to ATD to avoid system overload
- Only supported files should be uploaded to ATD
Files are only sent to ATD if it is a supported ATD file type, the file is smaller than 10 megabytes and the file is an executable (the other entries are just a test in my environment).
Writing a Debug LOG for ATD uploads
No upload to ATD if GAM finds no malware and URL Reputation is okay (just a test).
No upload if GAM proactive probabilityis set to a given value.
No upload to ATD if the file has been already analyzed.
No upload to ATD if there is a report available on ATD.
Enable a progress page during ATD analysis.
Block if ATD detects malware.
Log file entry example
- Take care when integrating ATD and TIE.
- Take a look what is going on.
- If anything is okay there should not be entries in the TIE database without any file details.
Attached the Ruleset examples