This integration is focusing on the automated threat response with McAfee ATD, OpenDXL and Fortinet Firewalls. McAfee Advanced Threat Defense (ATD) will produce local threat intelligence that will be pushed via DXL. An OpenDXL wrapper will subscribe and parse IP indicators ATD produced and will automatically update Firewall rules.
McAfee Advanced Threat Defense (ATD) is a malware analytics solution combining signatures and behavioral analysis techniques to rapidly identify malicious content and provides local threat intelligence. ATD exports IOC data in STIX format in several ways including the DXL. https://www.mcafee.com/in/products/advanced-threat-defense.aspx
Fortinet Firewalls provide high performance network security protection platform. https://www.fortinet.com/products/next-generation-firewall.html
McAfee ATD solution (tested with ATD 4.0.4)
Download the Latest Release
- Extract the release .zip file
OpenDXL Python installation
- Python SDK Installation (Link)
Install the required dependencies with the requirements.txt file:
This will install the dxlclient, and requests modules.
$ pip install -r requirements.txt
- Certificate Files Creation (Link)
- ePO Certificate Authority (CA) Import (Link)
- ePO Broker Certificates Export (Link)
Fortinet Firewall (tested with FortiGate 6.0.3)
McAfee ATD receives files from multiple sensors like Endpoints, Web Gateways, Network IPS or via Rest API. ATD will perform malware analytics and produce local threat intelligence. After an analysis every indicator of comprise will be published via the Data Exchange Layer (topic: /mcafee/event/atd/file/report).
The atd_subscriber.py receives DXL messages from ATD, filters out discovered IP's and loads forti_push.py.
Change the CONFIG_FILE path in the atd_subscriber.py file.
CONFIG_FILE = "/path/to/config/file"
Before Fortinet Firewalls can be updated via API it is neccessary to create a user that has access to the API.
The forti_push.py receives the discovered malicious IP's and will use API's to update Firewall rules / groups.
Change IP/Hostname address and API token.
The script will:
- create a new api session
- login
- check if the host exist already and create it if it doesn't
- check if the group exist already and create it if it doesn't
- get members of a group and add the new created / discovered address
- logout
Don't forget to create a new Firewall rule related to the BadIPList.
python atd_subscriber.py
or
nohup python atd_subscriber.py &
With this use case, ATD produces local intelligence that is immediatly updating policy enforcement points like the Fortinet Next Generation Firewalls with malicious IP's.