A Cisco SecureX Concrete Relay implementation using IBM X-Force Exchange as a third-party Cyber Threat Intelligence service provider.
The Relay itself is just a simple application written in Python that can be easily packaged and deployed. This relay is now Cisco Hosted and no longer requires AWS Lambda.
The code is provided here purely for educational purposes.
- We need an application that will translate API requests from SecureX Threat Response to the third-party integration, and vice versa.
- We need an application that can be completely self contained within a virtualized container using Docker.
Open the code folder in your terminal.
cd code
If you want to test the application you will require Docker and several dependencies from the Pipfile file:
pip install --no-cache-dir --upgrade pipenv && pipenv install --dev
You can perform two kinds of testing:
-
Run static code analysis checking for any semantic discrepancies and PEP 8 compliance:
flake8 .
-
Run the suite of unit tests and measure the code coverage:
coverage run --source api/ -m pytest --verbose tests/unit/ && coverage report
If you want to test the live Lambda you may use any HTTP client (e.g. Postman),
just make sure to send requests to your Lambda's URL
with the Authorization
header set to Bearer <JWT>
.
NOTE. If you need input data for testing purposes you can use data from the observables.json file.
In order to build the application, we need to use a Dockerfile
.
- Open a terminal. Build the container image using the
docker build
command.
docker build -t tr-05-ibm-xforce-exchange .
- Once the container is built, and an image is successfully created, start your container using the
docker run
command and specify the name of the image we have just created. By default, the container will listen for HTTP requests using port 9090.
docker run -dp 9090:9090 --name tr-05-ibm-xforce-exchange tr-05-ibm-xforce-exchange
- Watch the container logs to ensure it starts correctly.
docker logs tr-05-ibm-xforce-exchange
-
Once the container has started correctly, open your web browser to http://localhost:9090. You should see a response from the container.
This application was developed and tested under Python version 3.9.
-
POST /health
- Verifies the Authorization Bearer JWT and decodes it to restore the original credentials.
- Authenticates to the underlying external service to check that the provided credentials are valid and the service is available at the moment.
-
POST /deliberate/observables
- Accepts a list of observables and filters out unsupported ones.
- Verifies the Authorization Bearer JWT and decodes it to restore the original credentials.
- Makes a series of requests to the underlying external service to query for some cyber threat intelligence data on each supported observable.
- Maps the fetched data into appropriate CTIM entities.
- Returns a list per each of the following CTIM entities (if any extracted):
Verdict
.
-
POST /observe/observables
- Accepts a list of observables and filters out unsupported ones.
- Verifies the Authorization Bearer JWT and decodes it to restore the original credentials.
- Makes a series of requests to the underlying external service to query for some cyber threat intelligence data on each supported observable.
- Maps the fetched data into appropriate CTIM entities.
- Returns a list per each of the following CTIM entities (if any extracted):
Verdict
,Judgement
,Indicator
,Sighting
,Relationship
.
-
POST /refer/observables
- Accepts a list of observables and filters out unsupported ones.
- Builds a search link per each supported observable to pivot back to the underlying external service and look up the observable there.
- Returns a list of those links.
-
POST /version
- Returns the current version of the application.
ip
ipv6
domain
md5
sha1
sha256
Each X-Force associated collection
generates a CTIM Sighting
and Indicator
linked with a member-of
Relation
.
Data from X-Force report
is used to generate
following CTIM entities depending on the observable type.
For URL
and Domain
:
- a
Verdict
based onreport
.result.score
- a
Judgement
based onreport
.result.score
- an
Indicator
for eachcategory
inreport
.result.cats
- a
Sighting
for eachcategory
inreport
.result.cats
- a
sighting-of
Relation
forSighting
andIndicator
created from onecategory
For IP
and IPv6
:
- a
Verdict
based onreport
.score
- a
Judgement
for eachcategory
inreport
.cats
- an
Indicator
for eachcategory
inreport
.cats
- a
Sighting
for eachcategory
inreport
.cats
- a
based-on
Relation
forSighting
andJudgement
created from onecategory
- a
based-on
Relation
forJudgement
andIndicator
created from onecategory
For MD5
, SHA1
and SHA256
:
- a
Verdict
based onreport
malware.risk
- a
Judgement
based onreport
malware.risk
Data from X-Force resolve
is used to generate a single CTIM Sighting
with DNS resolutions for Domain
, IP
and IPv6
stored as Sighting.relations
.
The time of investigation is used as a Sighting.observed_time
.