Encriching CarbonBlack Response with Threat data from MISP

CarbonBlack Response is an amazing EDR system that can be used to gain insight onto endpoints, both during hunting and as part of IR engagements (https://www.carbonblack.com/products/cb-response/ ).

eCrimeLabs has previously implemented a binding between MISP and CarbonBlack through our Cratos API (https://www.ecrimelabs.com/cratos-threat-api), however we also wanted to create an open-source integration that could be used by none customers.

MISP (https://www.misp-project.org) allows you to create your own events made up of IoC’s and then leverage these as a threat data feed.

MISP out of the box also has support for many open source threat feeds and it can aggregate these and display them in a chosen standard. This can really help with centralizing your organisations threat data. 
So you can combine OSINT and your own intelligence for enrichment into your EDR tool.


MISP Preparation

The initial part would be to add a unique “tag” that would define that this attribute/ioc should be made available to Cb Response.

Log into MISP and choose “Event Actions” and “Add tag”.

In this case we are creating a tag named “CarbonBlackResponse”, however this can be customized to fitting your organizations naming standard.

Currently Cb Response can consume the following attribute types:

  • ip-src

  • ip-dst

  • domain

  • hostname

  • md5

  • sha256

Adding a feed as default to Cb Response

As an example this shows how to add the Ransomeware Tracker feed into Cb Response.

“Sync Actions” - “List feeds” and choose edit “Ransomware Tracker”

At the buttom of the of the editing page add your custom tag as “Default Tag”.

Now whenever the feed is updated this will be exposed real time to Cb Response.


Adding events to Cb Response

In the Cb Response portal choose “Threat Intelligence” and press “Add new Feed”

Replace the URL with your own

The new feed will now be available for enabling it and utilizing the data.

After Enabling the feed choose “Actions” and do a “Full Sync”

The above data set for testing can be downloaded from http://misp2cbr.evilcorp.dk all of the IOC’s on this page and in the MISP event are for testing and does not contain any harm.


Now when this is setup the Cb Response will at a fixed interval fetch the IOC’s you have marked with the custom tag.

Source code from Git

Now all you need is to download the code that integrates these two components.

https://github.com/eCrimeLabs/MISP2CbR