This use case is focusing on the automated real-time threat sharing with MISP (Malware Intelligence Sharing Platform), orchestration tool (IntelMQ) and OpenDXL. IntelMQ is used to collect data from the Malware Intelligence Sharing Platform (MISP), to parse and push intelligence via OpenDXL to e.g.
- run multiple McAfee Active Response searches across multiple DXL fabrics. (Link)
- update McAfee TIE Server (Malicious Hashes) (Link)
- update McAfee Web Gateways (IP subscribed Lists) (Link)
- update Forcepoint Firewalls (Link)
- update Check Point Firewalls (Link)
MISP threat sharing platform is a free and open source software helping information sharing of threat and cyber security indicators. https://github.com/MISP/MISP
IntelMQ is an orchestration solution for IT security teams (CERTs, CSIRTs and abuse departments) for collecting and processing security feeds. It's a community driven initiative called IHAP (Incident Handling Automation Project) which was conceptually designed by European CERTs/CSIRTs. Its main goal is to give to incident responders an easy way to collect & process threat intelligence. https://github.com/certtools/intelmq
Since IntelMQ is supported on Linux only, this solution only runs on Linux. The python dependencies have to be installed on a linux system.
MISP platform installation (Link) (tested with MISP 2.4.70)
PyMISP library installation (Link) or install dependencies using the requirements.txt file as mentioned below.
IntelMQ installation (Link)
IntelMQ Manager installation (Link)
Download the Latest Release
- Extract the release .zip file
OpenDXL Python installation
- Python SDK Installation (Link)
Install the required dependencies with the requirements.txt file:
This will install the dxlclient, pymisp, and intelmq modules. The solution has been tested with python intelmq library version 1.0.0.dev6.
$ pip install -r requirements.txt
- Certificate Files Creation (Link)
- ePO Certificate Authority (CA) Import (Link)
- ePO Broker Certificates Export (Link)
The IntelMQ Manager can be access via http://ip-address/. It is possible to create under configuration specific Collectors, Parsers, Experts and Outputs.
For this particular use case we will collect data from the Malware Intelligence Sharing Platform (MISP) based on specific tags. We will parse the information and use OpenDXL as an output to share information across multiple DXL fabrics and platforms. OpenDXL as an output is not natively configured.
Change the CONFIG_FILE path in the example_test.py file
CONFIG_FILE = "/path/to/config/file"
To add OpenDXL we first need to create a new BOT in /opt/intelmq/etc/BOTS.
Add under Output the new DXL item e.g:
"McAfee DXL": { "description": "This output will generate a DXL message.", "module": "intelmq.bots.outputs.dxl.output", "parameters": { "file": "/opt/intelmq/var/lib/bots/file-output/dxl_events.txt", "hierarchical_output": false } },
Next we need to generate a bot output file in the /usr/local/bin library. This output file is for one OpenDXL output. If more outputs are needed just duplicate the file and change the intelmq output target.
Next we need to add / modify the entry point file.
/usr/local/lib/python3.4/dist-packages/intelmq-1.0.0.dev6.egg-info/entry_points.txt
Add the new BOTS.
e.g. intelmq.bots.outputs.dxl.outputc1 = intelmq.bots.outputs.dxl.outputc1:BOT.run
We can start using a simple DXL script to publish collected MISP information on a specific DXL topic.
/usr/local/lib/python3.4/distpackages/intelmq/bots/outputs/dxl/example_test.py
Finally we need to create a BOT to execute the OpenDXL python script above.
/usr/local/lib/python3.4/distpackages/intelmq/bots/outputs/dxl/output1.py
The output1.py script includes a specific part to execute the OpenDXL script.
subprocess.call(['/usr/bin/python','/usr/local/lib/python3.4/dist-packages/intelmq/bots/outputs/dxl/example_test.py', event_data])
The subprocess.call is necessary to execute the OpenDXL script with Python 2.7 (IntelMQ uses Python 3.x). Please make sure to use the full path name in the dxlclient.config file.
- Add a new MISP collector. Change the following information:
- MISP_Key (MISP automation)
- MISP_tag_proccessed (new tag that should be assigned to the MISP event)
- MISP_tag_to_process (tagged event that should be processed)
- MISP_url
- MISP_verify (optional trusted/untrusted SSL certificates check)
-
Add the MISP parser to the configuration page.
-
Add the McAfee DXL output and change the module name to the module you want to execute.
-
Link the MISP collector with the parser and the output and safe the configuration.
-
Start the BOTS under the management page.
IntelMQ collect the tagged event and publish this information via DXL. It is also possible to filter the data first before it gets send via DXL (e.g. filter out Hashes, IPs and Domains).
MISP contains global, community and locally produced intelligence that can be used with IntelMQ and OpenDXL for automated threat hunting and threat response.