Beruflich Dokumente
Kultur Dokumente
0
JENNIFER VALVERDE
Introduction................................................................................................................ 2
Purpose...................................................................................................................... 2
Deployment Requirements......................................................................................... 3
Optional Components................................................................................................. 4
Requirements/Pre-Requisites...................................................................................... 5
Installation and Configuration Checklist.....................................................................6
Installation and Configuration of McAfee Threat Intelligence Exchange (TIE) and Data
Exchange Layer (DXL)................................................................................................ 7
Installing the TIE/DXL server................................................................................... 7
Configuring the TIE Solution..................................................................................23
Content Testing with benign samples....................................................................28
User Stories.............................................................................................................. 29
Immediate Visibility Gain insight into executables & certificates run in your
environment.......................................................................................................... 29
The TIE Client A new kind of protection against emerging threats.....................37
Control Take immediate action...........................................................................42
Speed and Distribution Its fast...........................................................................49
Incident Response Patient Zero & Clean Up........................................................52
Appendix.................................................................................................................. 56
McAfee Advanced Threat Defense for Automated Intelligence..............................57
VirusTotal............................................................................................................... 62
Baseline Gold Images with the TIE Scanner..........................................................65
Troubleshooting..................................................................................................... 67
1
Introduction
McAfee Threat Intelligence Exchange provides adaptive prevention for emerging
threats. It quickly analyzes files and content in your environment and makes
informed security decisions based on a file's reputation and your specific criteria to
determine if there is a threat to your environment.
The challenge in today's network environment is the growing number of devices and
systems on a network, and their inability to communicate security information with
each other. Until now, they have acted as separate silos and could not be
intelligently managed as a whole.
Threat Intelligence Exchange changes that. Imagine knowing exactly which
machines have been compromised by a specific file, and then acting immediately to
prevent the threat from spreading throughout your environment, even to remote
networks and systems. You can see exactly on which system the threat was first
seen and where it went from there, and stop it immediately across your entire
environment.
Threat Intelligence Exchange provides the latest technology in detecting and
preventing threats:
A security ecosystem that allows instant communication between endpoints,
systems, and devices in your environment. They send information to the
Threat Intelligence Exchange server where it is then available to endpoints
throughout your environment.
A new kind of endpoint protection that evaluates local, global and enterprise
level intelligence to make smart execution time decisions to allow or block
executables.
Faster detection and protection against security threats and malware.
The ability to immediately block or allow specific files and certificates based
on their threat reputations.
Purpose
This guide is intended to assist with the setup, configuration, and use of McAfees
Threat Intelligence Exchange (TIE) and Data Exchange Layer (DXL) version 1.0 for
testing, evaluation or Proof-of-Concept (POC). This guide will walk you through the
pre-requisites, installation, deployment, configuration and most common scenarios
used for testing and getting the most value from TIE and DXL in your environment.
The use cases were designed to demonstrate the most common issues TIE solves at
the near real-time speed DXL offers.
2
Deployment Requirements
The Threat Intelligence Exchange server stores file and certificate reputation
information. It then communicates that information to other systems and
endpoints in your environment as needed. The benefit of context-aware
security is the ability to gather situational and environmental information at
the moment the system is running. The information is then used to
communicate and share file and certificate reputation information to make
real-time, accurate security decisions.
3
Data-exchange layer (DXL)
Agent module that quickly analyzes files and content in your environment
and makes informed security decisions based on a file's reputation, local,
global and enterprise context and your specific policy to determine if there is
a threat to your environment. The TIE Client requires the McAfee Agent and
VSE to be installed.
For a more detailed description of each of the key components please refer to the
product guide.
Optional Components
There are additional components such as Advanced Threat Defense which add value
to the TIE solution that are optional, but may be required for successful completion
of an evaluation. As products are integrated into the DXL the possibilities greatly
increase. Supplemental documentation on optional components and additional
products can be found at in the appendix of this POC Guide.
ATD
4
VirusTotal is a free service that analyzes suspicious files and URLs and
facilitates the quick detection of viruses, worms, trojans, and all kinds of
malware. For additional information on Virus Total see
https://www.virustotal.com/
5
Requirements/Pre-Requisites
In order to successfully deploy the McAfee TIE solution for evaluation, the following
is required:
McAfee software
Customer provided
Ports:
ePO Ports (Default TCP 80, 443, 8081, 8443, 8444, 1433 UDP 8082,
1434) For more detailed information see (KB66797)
TIE Server/DXL Ports (Default 8883, 1883)
Postgres (TCP and UDP 5432)
Private API Key from VirusTotal (See appendix for instructions on obtaining
this)
2 or more Endpoints:
You can install Threat Intelligence Exchange Client on the following operating
systems.
**It is more accurate and interesting in a POC to use a typical system in your
environment for testing. If a live production system is not available we
suggest using VMware physical to virtual conversion to make a copy of a
production system. For additional information regarding vCenter Converter
see http://www.vmware.com/products/converter/features
6
Installation and Configuration Checklist
The TIE Installation Guide can be found on the McAfee download site with a valid
grant number. The installation is fairly quick however the following steps should be
performed in order. This checklist is provided as a reference to give you a forward
look at what steps will be performed as well as a reference to how far along in the
install process you are.
Pre-requisites (need to be installed prior to following the installation steps of this
guide)
Install ePO 5.1.1
Install McAfee Agent 5.0 on 2 or more endpoints
Check in package MA-WIN 5.0.0 Build XXXX Package #x
(ENU-LICENSED-Release-MAIN)
Install extension EPOAGENTMETA.zip
Install and deploy the VSE client to your endpoints
Check the following files into the software repository:
VSE 8.8.0 Build xxxx Package #x (AAA-LICENSED-RELEASE-PATCH 4)
VSE 8.8.0 Build xxxx Package #x (AAA-LICENSED-RELEASE-HOTFIX
929019)
Install extension VSE 8.8.0 Build xxxx Package #x
(AAA-LICENSED-RELEASE-PATCH 4)
Deploy VSE to the Client systems
Create a client task to apply VSE hotfix
7
A wildcard search for TIE file or cert reputation returns data (Note: you may
have to execute a few samples on the endpoint to see data in the TIE
reputations page)
Configure TIE server extension in ePO
Add Virus Total API Key to Server Settings
In the Policy Catalog configure GTI, Telemetry, and ATD settings
Configure DXL Broker in ePO server settings
The TIE/DXL server is deployed as a Virtual Server. Ensure the virtual machine has
the following hardware specifications. For the purposes of POC, we assume the TIE
server and DXL broker will be installed on the same server:
**The TIE/DXL server is a single McAfee provided OVA file that includes both
components.
Other considerations:
8
Determine the IP address to be used during the POC. Both Manual and DHCP
options are available.
Determine the IP address and administrator username and password of the
ePO server that TIE/DXL will be connecting to.
For a quick video demonstration of the TIE/DXL server deploy and installation go to:
https://mcafee.box.com/s/sie74ncenw9nqo92tbiy
These steps will walk you through downloading, installing and configuring the
McAfee Threat Intelligence Exchange and Data Exchange Layer Server:
9
4. In ePO, install the
following extensions:
DXLBrokerMgmt_1.0.0_Buil
d_xxxx Package #x.zip
DXLClient_1.0.0_Build_xxx
x Package #x.zip
DXLClientMgmt_1.0.0_Buil
d_xxxx Package #x.zip
help_dxl_100.zip
TIEServerMgmt_1.0.0_Buil
d_xxx Package #x.zip
help_tie_100.zip
TIEmMeta.zip
help_jtic_100.zip
Select Menu |
Software |
Extensions and
then click Install
Extension
McAfee DXL
Threat Intelligence
Exchange module
for VSE
1
0
5. Check the DXL and
TIE package into the
Master Repository
Select Menu|
Software | Master
Repository and then
click Check In
Package
The Master
Repository should
appear as follows
1
1
7. Browse to the
location of the
TIEServer_1.0.0.xx
x.x86_64-MAIN.ova
file on your
computer, and then
click Next.
9. Create a root
password for the
Threat Intelligence
Exchange virtual
server. The password
must be at least nine
characters.
Press Y to create.
1
2
9. The operational
account will have
limited permissions.
Enter an Account
Name, Real Name,
and Password.
1
3
12. Enter the Hostname
and Domain Name
(if appropriate) of the
computer where you
are installing the
Threat
Intelligence
Exchange server
appliance.
Enter Y to continue.
Enter Y to continue.
Enter Y to continue.
Enter Y to continue.
1
4
16. Select the services to
run on the Threat
Intelligence
Exchange server.
Enter Y to continue.
Enter M for
configuration.
Enter Y to continue.
Master server replicates the TIE database to all Slave servers, if you
Note: For the POC have them.
only install a Master Write-only Master server does not process reputation requests or
any non-essential functionality beyond writing and maintaining the
database. Because a write-only Master server does not process
requests over the Data Exchange Layer, it increases system
performance by replicating the database, leaving the Data Exchange
Layer requests to the Slave servers.
Slave server processes Data Exchange Layer requests exactly like a
Master server using a database that's replicated from the Master
database. The Slave server must have access to the Master server.
Reporter is a Slave server that does not process reputation
requests. It improves McAfee ePO reporting by replicating the
database information without processing Data Exchange Layer
requests.
1
5
TIE server database.
Enter Y to continue.
Enter Y to continue.
1
6
22. Select the checkbox
for Make this the
default database for
the selected
database type.
Database Vendor:
select
TieServerPostgres.
Host name or IP
address: enter the
host name of the
system where you
installed the TIE
server.
Database name:
enter tie. **This is
case sensitive
Click Test
Connection to verify
the connection
information and user
credentials.
1
7
23. To verify that the
TIE/DXL server is
installed and
communicating
properly, open the
System Tree in ePO.
The TIE Server is
listed as a managed
system.
You may have to wait Note: It is important you do not push the McAfee Agent, DXL
for 2 ASCIs for all Cleint or TIE module to the TIE server. The products listed
components to install above will be installed as part of the install process.
and check in
properly. Doing an
Agent Wake-Up Call
with Force
complete policy
and task update
checked can speed
up this process.
1
8
26. Click Actions | DXL |
Lookup in DXL
1
9
Installing and verifying the DXL client and McAfee Threat Intelligence
Exchange Module for VSE on your endpoint
Prerequisites for the TIE Client:
These steps will walk you through installing and verifying the DXL client and McAfee
Threat Intelligence Exchange module for VSE:
2
0
3. Name the
deployment DXL
Choose Data
Exchange Layer
Client 1.0.0
package.
4. Click Select
Systems
5. To complete the
Product Deployment
form select Run
Immediately
2
1
6. At the top of the
Product Deployment
page click Save to
begin deployment
2
2
9. Name the
deployment TIE
2
3
12. At the top of the
Product Deployment
page click Save to
begin deployment
2
4
2
5
Configuring the TIE Solution
Prerequisites
Before completing this section you must have completed the server and client installation
sections. The policies set in this section must be mirrored in order for the use cases in the
next section to perform as documented.
Considerations
For the POC we will be setting the client policy to block at Unknown. In order to
demonstrate the capabilities without compromising safety, the files used in the sample set
are benign. In production, it would be more common that blocking will be set to Might be
Malicious. See below for recommendations:
Might be Malicious: Most endpoints would fall into this category (**depending on
risk tolerance of your organization)
TIE Scanning tool: The TIE Scan tool performs TIE analysis on user-specified files
and folders, and populates a TIE server database with baseline data from a gold
image. The TIE Scanning tool is not an official part of the product and comes with
minimal/no support or documentation. Please refer to the Baseline Gold Images with
the TIE Scanner section of the appendix for more information.
These steps will walk you through TIE server and client extension configuration as
needed for the user story section:
Click Edit.
2
6
2. Enter your
VirusTotal
Public/Private Key.
Click Save.
**For more
information on how
to obtain the
VirusTotal
Public/Private Key
see appendix
2
7
5. On the Advanced
Threat Defense
(ATD) tab, you can
configure ATD server
settings. Files can be
sent to ATD for
further evaluation.
Check Enabled
2
8
6. To access the TIE
Client policy, select
Menu | Policy |
Policy Catalog and
select Threat
Intelligence
Exchange Module
for VSE 1.0.0 in the
Product dropdown.
Click My Default to
configure.
Self Protection: If
selected, prevents
users on managed
endpoints from
changing Threat
Intelligence
Exchange module
settings.
2
9
8. Set Operation Mode
to Enforce
Operation Mode: Enforce: Enforce the policy per the settings on the page.
Specifies whether the Observe: Collect data as if the policy were enforced and send it to
module applies the the server, but don't actually enforce the policy. This option allows
policy settings on you to see what effect the policy would have without running it.
this page. Disabled: Do not enforce the policy.
Balance Security High change systems: block and prompt the least
Typical systems: block and prompt more
For: There are three
Low change systems: block and prompt the most
levels that reflect the
amount of risk, or **To enable or disable specific rules for each security level review
security, allowed on the server settings for the TIE module for VSE
the systems that use
this policy.
Set Block at: Clean at: Select a file reputation level at which the file is cleaned
Unknown using VirusScan Enterprise and then allowed to run. This option is
available only for High change systems and Typical systems security
levels.
Reputation
**We recommend using Clean at only with known malicious file
Responses for
reputations because Clean at might delete the file.
Executables, DLLs,
Drivers: Specify Block at: Select a file reputation level where files are blocked. When
what happens when a file with this reputation tries to run in your environment, it's
a file with a specific prevented from running but remains in place. If you discover that the
reputation level tries file is safe and you want it to run, you can change its file reputation
to run on a system to a level that is allowed to run, such as Known Safe.
that uses this policy.
3
0
12. Leave End User
Prompting disabled
for the POC
Prompt at: Specify the file reputation level when users are
prompted to allow or block the file. The prompt level must not
conflict with the Clean at or Block at settings. For example, if you
block unknown files, you can't set this field to Might Be Malicious
because it has a higher security threat than Unknown.
Custom Prompt Text: Enter text the user sees when a file that
meets the prompting criteria attempts to run. If you don't enter
custom text, a default message is used.
3
1
Content Testing with benign samples
Tools
Hash tool - Determining the hash of a file allows the administrator to import a
reputation before the file ever enters the environment. Hash tool:
http://www.keir.net/hash.html
Hex Editor - A hex editor allows a file to be modified enough to change the hash of
the file. When testing samples that are already known trusted, hex editing is a good
way to create a new sample. Hex editor: http://download.cnet.com/HxD-Hex-
Editor/3000-2352_4-10891068.html
Samples
Instructions & Samples: http://mcaf.ee/yiuva
3
2
3
3
User Stories
The user story section is designed to demonstrate the most common use cases for
the TIE solution. This section does not include all TIE features and functionality. The
following use cases were designed to be performed in the order documented:
Immediate Visibility Gain insight into new executables and certificates running in
your environment
The TIE Client A new kind of protection against emerging threats
Control Take immediate action
Speed and Distribution Its fast
Incident Response Patient Zero & Clean Up
McAfee Threat Intelligence Exchange brings immediate visibility into the presence of
advanced targeted attacks and emerging threats by automatically assembling
events and valuable context as communicated from the new intelligence based
endpoint client, gateways, and other connected security components.
Pre-requisites:
Objective
3
4
The objective of this use case is to demonstrate the ability to identify new
executables and certificates that are being run in your environment using McAfee
Threat Intelligence Exchange. Successful completion of this use case demonstrates
the added visibility and information that the TIE solution offers.
2. Click on Menu |
Systems Section |
TIE Reputations
3
5
4. You will see a list of
files that have been
executed on your
endpoints.
Clicking to sort by
GTI reputation will
highlight some of
the more interesting
files being
executed.
Add columns as
desired.
3
6
7. In the TIE
Reputations page
search for artemis
You will see the file
was blocked based
off of its GTI
reputation Might be
Malicious.
Click Artemis-
High.exe to
research additional
information about
the executable.
9. The Additional
Information tab
includes data
collected from the
first system to
execute the file.
This includes:
3
7
10. The Virus Total tab
allows the user to
cross reference the
file against
VirusTotal. Click
Retrieve
VirusTotal
Information.
Click into a
certificate to
research additional
information.
3
8
13. In order to help
separate real
enterprise threats
from general
background noise in
the environment,
the TIE Server
Dashboard focuses
in on new and
notable information.
3
9
15. New files in the
past 30 days
Shows new
executable files that
attempted to run in
your environment in
the past 30 days.
On further research
or new information
received, McAfee
may determine a
reputation change
is needed.
The administrator
may want to
investigate
enterprise overrides
further if the GTI
reputation has
changed.
4
0
17. Systems with new
executable files
Shows the top 10
systems that had
the most new
executable files
attempting to run.
This report shows
systems that are
potentially at risk
for new infections
because they are
accessing the most
new executables.
Conclusion
4
1
By working through this use case you are now aware of the immediate visibility that
the TIE solution offers. You can now answer critical security questions:
What is running in my environment?
Where is it running?
When did it run?
Has my environment seen specific malware? Or a recent zero day attack?
Which systems are at most risk from new executables?
Are there systems with unanticipated change?
4
2
The TIE Client A new kind of protection against emerging threats
Now that you are fully aware of the files and associated certificates running in your
environment and have been able to explore where possible compromises and
threats are occurring lets take a look at the benefits of the TIE Client.
The TIE Client makes accurate file execution decisions and leverages the combined
intelligence from local endpoint context (file, process, and environmental attributes)
and the current available collective threat intelligence (for example, organizational
prevalence, age, reputation, etc.). When you customize the McAfee Threat
Intelligence Exchange VirusScan Enterprise Module based on your organizations
level of risk tolerance at the endpoint, administrators get the flexibility to set
execution conditions driven by their specific requirements. This can be as rigid as
adhering to a zero-tolerance policy for unknown or grey files by setting rules that
no file is allowed to execute unless it has a known and acceptable reputation.
Pre-requisites:
Objective
The objective of this use case is to demonstrate the power of the TIE Client for zero
day threats. Successful completion of this use case should demonstrate the added
intelligence that the TIE client offers.
4
3
1. Based on our
research we know
that malware tends
to hide itself in
specific folders. In
this use case we
will explore the root
of
$appdata$\roaming
as an indicator of
risky behavior.
On the endpoint in
explorer navigate to
C:\ and select
Organize | Folder
and Search
Options.
2. On your endpoint
move the sample
file Roaming.exe
to
C:\Users\<user>\Ap
pData\Roaming
Execute
Roaming.exe from
this folder.
4
4
3. The TIE Client rules
will block the file
from being
executed and
expose the context
as to which rule
was triggered under
Convicting Rule
In this case
Identified
suspicious files
executing from
the roaming
folder
Click on
Roaming.exe to
view additional
information on the
block.
4
5
6. To view the TIE
rules in more detail
go to Menu |
Configuration |
Server Settings
Click Threat
Intelligence
Exchange Module
for VSE
Additional bonus exercise: To demonstrate TIEs ability to catch all zero day attacks
even further, you may want to manipulate a known file to see what happens.
Pre-requisites:
8. Remote Desktop
into the client
system and run
Hackit.exe.
4
6
run.
Researching the
block in the ePO
console you will see
it is no longer
allowed to run
based on GTI
reputation as it was
in our previous
step. File execution
is blocked based on
its unknown
reputation.
Conclusion
The added enterprise, global and local context allow the TIE client to apply a set of
rules that indicate risky behavior. As seen in this use case a file that is unknown in
4
7
your environment with no confirmed good reputation is automatically blocked
immunizing your enterprise from targeted attacks.
4
8
Control Take immediate action
Now that you have complete visibility of your environment and endpoint protection
that takes local, enterprise and global context into account when determining risky
behavior lets take action and apply our new Threat Intelligence to make smarter
security decisions.
Objective
The objective of this use case is to demonstrate the informed control that we are
giving to the administrator. Successful completion of this use case will demonstrate
the added control that TIE & DXL offers against current and future threats.
4
9
1. Click on Menu |
Systems Section |
TIE Reputations
5
0
4. For this demo, lets
pretend that you
have researched
Artemis-
Unknown-
AllSL.exe further
and decided it is
not malicious. If you
would like it to be
allowed to run in
your environment,
you need to
override its current
reputation.
5. Mark Artemis-
Unknown-
AllSL.exe as File
Known Trusted.
5
1
6. You will be
prompted to Add
Comment
Click OK
Download, Install
and Run Wireshark
on your endpoint as
instructed on
wireshark.org
5
2
9. To prevent all tools
signed with this
certificate from
executing you
would like to block
all executables that
are signed by the
Wireshark
certificate.
In ePO go to TIE
Reputations |
Certificate Search
tab Enter Wire in
the search field and
click Find
Certificates.
Click OK
5
3
11. Any file signed with
the Wireshark
certificate will be
blocked from
executing
immediately.
Note: The
reputation update
happens
immediately and
does not require the
McAfee Agent to
wait for an Agent to
Server
Communication
Interval (ASCI).
Click on Menu |
Systems Section |
TIE Reputations |
File Overrides
Click Actions |
Import
Reputations
5
4
13. Enter
Filename:
MORPH.EXE
SHA-1 Hash:
0x13ECDDA4F45CD
028221AF300EEBB
207B60CB5C6C
MD5 Hash:
0xFB36DE68696BC
60D9A51B537F97B
DAD3
Click OK and OK on Note: There is no specified limit in the file size that can be
the confirmation imported but be aware that every definition will trigger a
screen reputation change event.
5
5
15. Click Menu |
Reporting | TIE
Module for VSE
Events for
additional event
details
For Example:
Select Pivot Point:
Pivot by Rule to
view the number of
blocks based on
specific TIE Rules.
These events were
generated as part
of the TIE Client use
case.
Conclusion
The TIE solution gives the administrator immediate control over files and associated
certificates executing in their environment as well as the ability to immunize the
enterprise with imported threat intelligence.
5
6
Speed and Distribution Its fast
You may have already noticed this added visibility and control is fast. Threat details
collected from malware encountered at endpoints and network gateways can
propagate through the data exchange layer in milliseconds, educating all security
components to proactively immunize against newly detected threats.
Pre-requisites:
Objective
The objective of this use case is to demonstrate the speed and distribution in which
the Data Exchange Layer is updated. Successful completion of this use case should
demonstrate the near real-time distribution that the Data Exchange Layer offers.
5
7
p
1. Remote Desktop
into the client
system and run
Hackit.exe. This
populates the TIE
reputations page.
Be ready to click on
Hackit.exe as
quickly as possible
in a future step.
2. Click on Menu |
Systems Section |
TIE Reputations
5
8
5. Are you ready to be
quick?
Move to step 6
quickly
6. Remote Desktop
into the client
system and attempt
to re-run
Hackit.exe.
7. The execution
attempt will be
blocked.
Conclusion
No more waiting for agent wake up calls, slow dat releases or for the global threat
feed to update! The speed and distribution of the Data Exchange Layer provides a
5
9
communication fabric that allows immediate protection across your entire
enterprise.
6
0
Incident Response Patient Zero & Clean Up
Enterprise details collected from file execution allows administrators to track and
gather additional information around where and when a file entered their enterprise.
Pre-requisites:
Objective
The objective of this use case is to demonstrate the incident response capabilities
and data held within the TIE server. Successful completion of this use case should
demonstrate how to identify when a file first entered your environment as well as
how widespread the file is being executed. You will also be able to take action by
triggering a VSE clean on a known malicious file.
2. Click on Menu |
Systems Section |
TIE Reputations
6
1
3. In the File Search
tab Enter
Hackit.exe in the
search field and
click Find Files.
5. Click Actions |
Where Has File
Run
6. The number of
systems this file
was run on will
appear as well as
the First
Reference Date.
6
2
7. The Management
features of ePO
allow the user to
take appropriate
action at the client
when an incident
arises.
8. In step 1 hackit.exe
was executed. On
the endpoint you
will see the Hack-It
interface, the Hack-
It application
running in Task
Manager, as well as
the Hack-It icon
running in the
system tray.
9. In the Configuring
the TIE solution
section of this guide
we set Clean at
Known Malicious Set Enterprise rep to Known Malicious to terminate the file
for the TIE module wherever it is running and prevent it from running in the
for VSE policy. future.
In this case when a Note: This feature can be disabled by unchecking the Clean at
files Enterprise feature in the TIE module for VSE policy
reputation is set to
Known Malicious
a reputation change
DXL event goes out
immediately. Based
on this policy
setting the TIE
module for VSE
6
3
triggers a VSE
clean.
A VSE clean
includes looking for
running processes
associated with the
file and terminating
them.
In the TIE
Reputations page
check the box next
to Hackit.exe and
click Actions | File
Known Malicious
Conclusion
When a compromise does occur, the knowledge gathered by the TIE server
empowers admins to respond swiftly and accurately. By setting a file to known
malicious the administrator can trigger a VSE clean across the entire environment
while simultaneously ensuring all future encounters are cleaned.
6
4
Appendix
6
5
McAfee Advanced Threat Defense for Automated Intelligence
Pre-requisites:
6
6
Objective
The objective of this guide is to demonstrate automation capabilities when
integrating with McAfee Advanced Threat Defense. ATD eliminates the need for
administrators to review file executions in ePO. It further eliminates the need to
make decisions about whether the file is good or bad by making the determination
and then publishing the reputation to the DXL all with zero administrator
involvement. Successful completion of this use case should demonstrate any ATD
conviction will automatically immunize your entire environment.
On the Advanced
Threat Defense
(ATD) tab configure
ATD server settings.
Files can be sent to
ATD for further
evaluation.
Check Enabled
6
7
Enter the User
name and
Password for the
ATD Server.
The files are sent to Advanced Threat Defense when the following
occurs:
The Threat Intelligence Exchange server does not have
Advanced Threat Defense information about the file.
The file is at or below the reputation level you specify.
The file is at or below the file size limit you specify.
The file has not already been submitted to ATD by another
endpoint or security product in your environment.
6
8
5. In TIE Reputations
click Actions,
Choose Columns
Add ATD
Reputation and
click Save
6. On your endpoint
execute Artemis-
Unknown-All.exe.
Also note that the files execution will be blocked on the
This sample will be endpoint because we set the policy to block on unknown. So in
sent to ATD this case, the end user will be protected and the file will go to
because it has an ATD for further analysis.
unknown reputation
and we set the
policy to send to
ATD if files have an
unknown
reputation.
6
9
9. In ePO under TIE
Reputations you will
see the Known
Malicious
reputation
determined by ATD.
Conclusion
McAfee Advanced Threat Defense connects your security ecosystem by sharing
reputation information over the DXL. When an administrator does not want the
hassle of researching each unknown or risky file McAfee ATD can offload that
responsibility. ATD also improves the efficiency of your security ecosystem. Sharing
reputation information means that all future encounters of a file will already have a
reputation and will not have to be analyzed again.
7
0
VirusTotal
Click Close
7
1
4. The e-mail received
will appear as
follows.
Click Sign in
6. Enter Username
and password
7
2
9. A public API key
comes with the
following
properties.
7
3
Baseline Gold Images with the TIE Scanner
The TIE Scan tool performs TIE analysis on user-specified files and folders, and
populates a TIE server database. The Tie Scanning tool is not an official part of the
product and comes with minimal/no support or documentation.
Pre-requisites:
The endpoint must contain the McAfee Agent 5.0 and be connected to the TIE
Server over DXL.
TIEScanner.exe included in the package
Objective
The objective of this use case is to populate the TIE server with files already known
to the environment to establish a baseline.
2. A pop-up requests a
location of the
extracted files.
Browse and click OK
when done.
3. Open a command ex1: tiescan c:\ /recurse <- This will scan the C drive
prompt, navigate to ex2: tiescan c:\windows\notepad.exe <- This will scan
the folder you notepad
extracted to in the
last step and run:
TIEScan <file|folder>
[/recurse]
7
4
4. Depending on the
size of the directory
the scan could take
several hours. When
complete the TIE
Scanning tool will
detach. At this point
the scan is complete.
7
5
Troubleshooting
2. Click Wake Up
Agents
On the Wake Up
McAfee Agent page,
select the checkbox
Force complete
policy and task
update, then click
OK.
7
6
4. In the System Tree,
click the server
name, then click
the Products tab.
Verify that the
following
products are listed:
McAfee DXL
Broker
McAfee DXL Client
McAfee Threat
Intelligence
Exchange Server
5. Click Menu |
Automation |
Server Tasks and
run the task: Apply
TIESERVER tags
to TIE Server
6. Click Menu |
Automation |
Server Tasks and
run the task:
Manage DXL
Brokers
7
7
7. After the tags have
been successfully
applied, click
System Tree, select
the Threat
Intelligence
Exchange server,
then click Wake Up
Agents.
8. On the Wake Up
McAfee Agent page,
select the checkbox
Force complete
policy and task
update, then click
OK.
7
8
11. To verify that the
DXL and TIE
services are
running, on the
virtual machine
open a Console
window, log in and
enter service
dxlbroker status
Logfiles
7
9
Scripts are available to reconfigure the Threat Intelligence Exchange server, Data
Exchange Layer brokers, and the McAfee Agent.
Accessing the scripts
The scripts are located in the /home/<username> directory. They must be executed
with sudo permissions, for example sudo /home/myname/change-hostname.
8
0