This integration is focusing on the automated threat response with McAfee ATD, OpenDXL and Check Point Firewalls. McAfee Advanced Threat Defense (ATD) will produce local threat intelligence that will be pushed via DXL. An OpenDXL wrapper will subscribe and parse IP indicators ATD produced and will automatically update Firewall rules and push new configuration to selected Firewalls.

McAfee Advanced Threat Defense (ATD) is a malware analytics solution combining signatures and behavioral analysis techniques to rapidly identify malicious content and provides local threat intelligence. ATD exports IOC data in STIX format in several ways including the DXL. https://www.mcafee.com/in/products/advanced-threat-defense.aspx

Check Point Firewalls industry leading Next Generation Firewalls that offer network security protection in an integrated next generation firewall platform. https://www.checkpoint.com/products-solutions/next-generation-firewalls/

McAfee ATD solution (tested with ATD 3.8)

Download the Latest Release

• Extract the release .zip file

OpenDXL Python installation

1. Python SDK Installation (Link) Install the required dependencies with the requirements.txt file:

   $ pip install -r requirements.txt

   This will install the dxlclient, and requests modules.
2. Certificate Files Creation (Link)
3. ePO Certificate Authority (CA) Import (Link)
4. ePO Broker Certificates Export (Link)

Check Point Management R80

McAfee ATD receives files from multiple sensors like Endpoints, Web Gateways, Network IPS or via Rest API. ATD will perform malware analytics and produce local threat intelligence. After an analysis every indicator of comprise will be published via the Data Exchange Layer (topic: /mcafee/event/atd/file/report).

The atd_subscriber.py receives DXL messages from ATD, filters out discovered IP's and loads cp_push.py.

Change the CONFIG_FILE path in the atd_subscriber.py file.

CONFIG_FILE = "/path/to/config/file"

Check Point API Reference

Before Firewall Rules can be updated via API it is neccessary to enable the API.

The cp_push.py receives only the discovered malicious IP's and will use API's to update Firewall rules / groups.

Change the username and password as well as the IP addresses. The IP address should point to the Check Point Management Server.

The script will:

1. create a new api session
2. login
3. check if group exist already and create it if it doesn't
4. check if the host exist already and create it if it doesn't
5. assign the new created host to the group
6. publish the configuration
7. logout

Don't forget to create a new Firewall rule related to the IP list.

python atd_subscriber.py

or

nohup python atd_subscriber.py &

With this use case, ATD produces local intelligence that is immediatly updating cyber defense countermeassures like the Check Point Next Generation Firewalls with malicious IP's.