Anomali ThreatStream IBM Resilient App

Transcription

1 Anomali ThreatStream IBM Resilient App IBM Resilient App Guide Release: August 24, 2018

2 Copyright Notice 2018 Anomali, Incorporated. All rights reserved. ThreatStream is a registered servicemark. Optic, Anomali Harmony, and Anomali Report are registered trademarks. All other brands, products, and company names used herein may be trademarks of their respective owners. Support Support Portal Phone Twitter support@anomali.com +1 Documentation Updates Date Description 08/24/2018 Updates for IBM Resilient App v /29/2017 A new guide for the Anomali IBM Resilient App v1.0.0 Anomali IBM Resilient App (2.0.1) Page 2 of 14

3 CONTENTS About This Release 4 What's New in This Release 4 Chapter 1: Introduction 5 6 Prerequisites for Installing Anomali IBM Resilient App Downloading and Installing Anomali IBM Resilient App 7 Using the Anomali IBM Resilient App 10 Anomali IBM Resilient App (2.0.1) Page 3 of 14

4 About This Release What's New in This Release Anomali IBM Resilient App is the next generally available release for this product line. This release includes the following features and enhancements: ThreatStream lookup - Artifacts associated with IBM Resilient incidents are automatically enriched by intelligence drawn from ThreatStream Intelligence sharing - Upload IBM Resilient incidents as ThreatStream Threat Bulletins Upgrade Information It is important that you completely remove any previous version of this application prior to installing Anomali IBM Resilient App Refer to "Uninstalling Anomali IBM Resilient App" on page 9. Limitations For this release, only ThreatStream SaaS is supported. Anomali IBM Resilient App (2.0.1) Page 4 of 14

5 Chapter 1: Introduction Threat Intelligence provides valuable incident context to help incident responders to reduce investigation time and enable a rapid, decisive response. Anomali ThreatStream offers the most comprehensive Threat Intelligence Platform, allowing all threat intelligence feeds to be managed and automatically made available to your security team in real-time. By integrating ThreatStream and the Resilient Incident Response Platform, your security team is able to gain instant context regarding artifacts associated with an incident. To achieve this, Anomali provides an IBM Resilient App for the Resilient Incident Response Platform v30 and onwards. This offers contextual, enriched threat intelligence received from ThreatStream via Anomali Integrator. This guide describes how to integrate Anomali ThreatStream with the Resilient Incident Response Platform via Anomali IBM Resilient App. Anomali IBM Resilient App (2.0.1) Page 5 of 14

6 The Anomali IBM Resilient App is installed as an extension on your existing IBM Resilient system. Using the Resilient Custom Threat Service, Anomali ThreatStream integrates with the Resilient platform so that any network artifacts added to a Resilient incident automatically triggers a ThreatStream enrichment lookup. This automatically provides additional enriched intelligence regarding the artifacts, which is added in the form of hits. Prerequisites for Installing Anomali IBM Resilient App The Resilient platform is version v or later and is running Python version 2.7; Python 3.0 is not supported. The Resilient platform is connected to the Internet. You must uninstall any previous version of the application prior to installing this version. You must install the Anomali IBM Resilient App as the "resadmin" user on Resilient Incident Response Platform. You have access to the command line of the Resilient appliance, which hosts the Resilient Platform. You have an Enterprise account from Anomali ThreatStream. To obtain an Enterprise account, contact your Anomali representative or register with Anomali ThreatStream at Once logged into the ThreatStream portal, navigate to Settings > Profile Settings to locate your ThreatStream API key. Anomali IBM Resilient App (2.0.1) Page 6 of 14

7 Downloading and Installing Anomali IBM Resilient App Contact Anomali Customer Support to obtain the Anomali IBM Resilient App. Once you have obtained and downloaded the installation package, install it on IBM Resilient by performing the following steps: 1. Log in to your IBM Resilient shell as the 'resadmin' user. Note: Ignore Step 2 if you have already configured an app.config file. 2. Generate a resilient app config file: a. Use the command resilient-circuits config -c b. The default location for the configuration file is: ~/.resilient/app.config. Other locations are acceptable. c. Point at the file with environment variable APP_CONFIG_FILE, using the command export APP_CONFIG_FILE=/path/to/your.config d. Edit the config file, update the fields, host, port, , password and org to match up with your Resilient Instance credentials. e. Test that you can connect to Resilient successfully by running command: resilient-circuits run 3. Ensure that the IBM rc-webserver and rc-cts packages are installed on your Resilient platform. 4. Run the command: sudo pip install /path/to/upload_incident_as_ threat_bulletin tar.gz 5. Run the command: sudo pip install /path/to/rc_cts_threatstream tar.gz 6. Check success of component installation by typing the following command: resilient-circuits list 7. Update your app.config file with component configurations using command: resilient-circuits config -u Anomali IBM Resilient App (2.0.1) Page 7 of 14

8 8. Update your app.config: a. Navigate to the app.config file location (default location ~/.resilient/app.config). b. Look for the section: [threatstream_config] c. Ensure that the following values are uncommented and updated with the correct values according to your instance of ThreatStream: o ts_api_url o o o ts_ui_url ts_user ts_api_key 9. Add the necessary rules, workflows, functions, message destinations for this package, using the command: resilient-circuits customize -y 10. Allow changes to take effect by rebooting your Resilient box, this can be done as root using the reboot command. 11. To keep the new components loaded, open a new ssh connection to your Resilient instance as resadmin, leave this command running in the background: resilient-circuits run 12. Setup the ThreatStream Threat Source: sudo resutil threatserviceedit -name ThreatStream -resturl Note: Port 9000 is used here, as it is the default port used by rcwebserver package. The port can be configured under rc-webserver config options in app.config. 13. Test that the ThreatStream Threat Source was added successfully: sudo resutil threatservicetest -name ThreatStream Anomali IBM Resilient App (2.0.1) Page 8 of 14

9 14. Ensure that the ThreatStream source is switched on: a. Open up the Resilient UI in a web browser. b. Log in with valid administrative credentials. c. Navigate to Administrator Settings > Threat Sources tab. d. Ensure that ThreatStream source is marked as ON. Uninstalling Anomali IBM Resilient App If you ever wish to delete the ThreatStream threat source from IBM Resilient: 1. Log in to your IBM Resilient shell. 2. Run the commands: a. sudo resutil threatservicedel -name ThreatStream b. sudo pip uninstall rc-cts-threatstream c. sudo pip uninstall upload-incident-as-threat-bulletin 3. Check success of the previous step, by ensuring that ThreatStream source is no longer available: a. Open up the Resilient UI in a web browser. b. Log in with valid administrative credentials. c. Navigate to Administrator Settings > Threat Sources tab. d. Ensure that ThreatStream source is not available. Anomali IBM Resilient App (2.0.1) Page 9 of 14

10 Using the Anomali IBM Resilient App As part of Resilient s incident response, Artifacts (or evidence) may be added to an incident for tracking and analysis. The IBM Resilient App utilizes threat intelligence received from ThreatStream to provide further enriched intelligence on these artifacts. This enables security teams to start investigating enriched intelligence from within the IBM Resilient App. ThreatStream Lookup for IBM Resilient Artifacts 1. From the IBM Resilient Interface, select an incident to investigate. Note: Refer to your IBM Resilient documentation for information about using this interface. 2. Select the Artifacts tab. 3. You can create a new artifact by clicking Add Artifact. Note: Refer to your IBM Resilient documentation to learn how to add artifacts. Immediately after a new artifact is added, the integration automatically performs a look-up of ThreatStream and returns enriched results about the artifact (e.g. status, geo-information, itype, confidence). Anomali IBM Resilient App (2.0.1) Page 10 of 14

11 4. From the bottom panel, you can choose from a list of existing artifacts associated with the selected incident. Note: Artifacts that have received hits from a threat source, i.e ThreatStream, will be marked with a red triangular alert icon. a. Click on any artifact entry that has received hits. In this example, we will select the artifact with the IP address marked with a red arrow. 'Hits' provided by threat sources such as ThreatStream are displayed for this IP address, allowing you to quickly scan the relevant enriched, top level intelligence. ThreatStream provides essential analysis to translate raw, unstructured and duplicated data into true intelligence; thereby reducing the 'noise' of false positives from outdated and irrelevant data. The figure above shows that the Anomali IBM Resilient App (2.0.1) Page 11 of 14

12 IP address in question is an active malware ip, which has high confidence scores reported by multiple credible sources. b. Within each 'hit' displayed, click the Drilldown Link (highlighted red) to gain additional context (actors, campaigns, TTPs) and leverage threat models (kill chain, diamond model and STIX/TAXII) to assess the nature and scope of the threat. This allows informed decisions to be made. Note: Refer to your ThreatStream Userguide for information about navigating and investigating in the ThreatStream user interface. c. Once you have finished investigating the 'hit', close or minimize the ThreatStream window to return to the IBM Resilient Interface again. Anomali IBM Resilient App (2.0.1) Page 12 of 14

13 Uploading Resilient Incidents as ThreatStream Threat Bulletins When critical new incidents are added to IBM Resilient, the security team may want to alert their organisations Threat Analyst s about this information by posting the incident as a ThreatStream Threat Bulletin. The integration between IBM Resilient and ThreatStream allows this sharing of intelligence. 1. From the IBM Resilient Interface, select the incident that you want to share the intelligence for. Note: Refer to your IBM Resilient documentation for information about using this interface. 2. Select the Details tab. 3. Select the Actions dropdown list. 4. From the expanded dropdown list, select Upload Incident as ThreatStream Bulletin. 5. Ensure that the yellow confirmation bar displays as in the following image. This indicates that the Threat Bulletin for sharing intelligence is being processed. Anomali IBM Resilient App (2.0.1) Page 13 of 14

14 After a period of seconds, the yellow notification bar disappears. 6. To check that the process of creating a Threat Bulletin has been successful: a. Select the Details tab. b. Select the Actions dropdown list. c. From the expanded dropdown list, select Workflow Status. d. Ensure that your created Threat Bulletin appears as the most recent task (top of the list). Anomali IBM Resilient App (2.0.1) Page 14 of 14