OpenDXL as a Completely Blank Canvas:-
As a completely open source framework of integration, OpenDXL is like that particular art studio. Creative security developers and analysts can use the OpenDXL SDK (classes, libraries, and helper classes), the python client, and several code examples on Github to express their own exclusive ideas and activate their respective APIs. They can build each and everything from very simple productivity boosters to conditional workstreams that are sophisticated.
Unfortunately, unlike the particular art classroom, OpenDXL projects are not easily visible. So, the people at McAfee technologies created a virtual studio, a contest to see what actually the sales engineers would create using the OpenDXL. [Team at McAfee also captured some examples in their Guide of new Idea, that you can refer to their official website.]
One of the submissions of the very first contest, now published to Github in the community of opendxl, helps resolve the age-old dilemma of malware analysis, that is how many sandboxes are actually enough?
Simple POCs with very high value:-
Jesse Netz, an engineer of sales on the East Coast, used OpenDXL to completely integrate the open source sandbox of Cuckoo and the Palo Alto Networks sandbox of Wildfire with the DXL messaging fabric and the sandbox of McAfee Advanced Threat Defense. These multiple integrations can help companies get more value out of their already existing resources and share the latest threat information and data for the fastest detection of threats that are emerging.
- A sandbox of Cuckoo can pull a changing file of malware reputations maintained by the Threat Intelligence Exchange of McAfee and include these reputations in its processing as well as the report of Cuckoo. TIE provides absolute visibility into the local prevalence of the respective file, helping the analyst to completely understand how widespread and harmful an infection might be. In addition, various customers who have the sandbox of McAfee Advanced Threat Defense would see the verdicts of ATD appear within the report of Cuckoo, enriching the details of Cuckoo about what the sample did while executing.
- Applications of DXL-integrated can use a lightweight interface of DXL (service wrapper) instead of the APIs of Cuckoo to access the sandbox details of Cuckoo (registry writes, socket connections, etc.) from anywhere, off-network or on-network. For this particular integration, Jesse reused a reference example that is provided in the SDK of OpenDXL, the wrapper of ePO API service.
- Verdicts of Wildfire update the reputation database of McAfee Threat Intelligence Exchange with various new scores. Any particular application which listens to TIE reputation scores will get the information updated without having to integrate directly with the sandbox of Wildfire, and can immediately inoculate its entire systems by blocking the newly identified harmful malware. This example converts verdicts directly to TIE reputations.
Done in Hours, Not Weeks:-
The three integrations took a total time of approximately 30 hours, with the hardest part being learning each of the API of the third party. Once the team had done the first integration of OpenDXL, the subsequent ones were very much easier. Without the support of OpenDXL for SSL, Authorization, and Authentication, Jesse usually estimates that these integrations would have taken at least twice as long time. Now, others do not require to invest the time learning the APIs of Wildfire and Cuckoo and doing integrations that are point-to-point.
John Woods is a self-professed security expert; he has been making the people aware of the security threats. His passion is to write about Cybersecurity, malware, social engineering, Games,internet and new media. He writes for McAfee products at www.mcafee.com/activate or mcafee.com/activate .