Robert Williams | Robert1122

Expanding The Response and The Advanced Automated Threat Hunting with Open DXL

Apr 24th 2019 at 3:45 AM

Today every person is talking about the automation of security. However, what are the right actions and processes to automate safely? What are the right actions and processes to automate that will actually achieve some outcome of the security, such as improving the efficiency of sec ops or reducing attacker dwell time? Just look in the newest industry report and you will definitely find a statistic about how much long attackers actually linger in a particular network without detection. It is getting much better, but the average is still majorly in favor of the attacker.

One of the reasons why all the attackers are so successful at maintaining the entire persistence is that most companies struggle to make much effective use of threat intelligence. Making much effective use means taking the volumes of threat intelligence data, Indicators of Compromise (IOCs) that are primarily technical, hunting for affected computer systems with those IOCs, and then adapting various countermeasures to contain the whole incident or just update the security. These critical tasks, validating and collecting intelligence, performing triage, and adapting various cyber defenses to contain the whole incident must be automated if we ever want to get ahead of all the attackers.

Intelligent Security Operations solution automates of McAfee a lot of key threat hunting tasks. In this particular solution, McAfee Advanced Threat Defense (ATD) software program, a malware analytic software system, produces the local IOCs based on submissions of malware from the network and endpoint sensors. It automatically shares the modern intelligence with Enterprise Security Manager (ESM) of McAfee for automated analysis that is quite historical, with the Active Response component of McAfee Endpoint Threat Response and Defense (ETDR) for real-time endpoint analysis, and along with McAfee Threat Intelligence Exchange (TIE) for containment that is automated at the network or endpoint.

However, would not it be actually very great if we could automate incident containment and hunt for all threat intelligence, not just hashes of the file? We can expand the entire capability of the Operations solution of Intelligent Security to handle a lot more intelligence and automate more incident tasks of the response using the power of OpenDXL.

Consolidate Threat Intelligence Collection together with MISP and OpenDXL

Organizations require threat intelligence from three multiple different sources:

  1. Global intelligence from various vendors or large providers.
  2. Community Intelligence from various sources that are closed, and
  3. Global enterprise, or Local-Produced

Local threat intelligence, typically produced by malware sandboxes, for instance, McAfee Advanced Threat Defense (ATD) software program, or learned from investigations of the previous incident, generally relates to attacks targeted at the firm or enterprise and would not be completely visible through other feeds of external intelligence. Large organizations typically consolidate these particular feeds inside a platform of threat intelligence to simplify the entire management, processing and sharing of the information and data.

Robert Williams is a self-professed security expert; he has been making the people aware of the security threats. His passion is to write about Cybersecurity, malware, social engineering, Games,internet and new media. He writes for mcafee products at and


Please to comment

sign in

Remember Me

New to IM faceplate? join free!

Lost Password? click here