January 21, 2019 / by Mervin Marks / In threat-intelligence /

DNIF Integration with Kaspersky Threat Intelligence Portal

Here’s a question for you: do you know the importance of threat intelligence? If you are a security service provider, or if your organization has its own security operations division, your answer should be “yes.” If your answer is “no,” “I don’t know” or “I’m not sure how important it is,” I implore you to ask the same question of anyone in this business, so you can get the real picture. “But I can just hire an army of security analysts to take care of my network,” you say. “Why do I need this ‘threat intelligence’ stuff?”

No doubt, an army of security analysts is a nice thing to have — but without threat intelligence, your army of analysts might as well have blindfolds on and earplugs in. Now, imagine an army of security analysts armed with targeted threat intelligence from experts who monitor the global cybersecurity landscape, staying on top of all the latest threats. You could have the best monitoring tool and analysts in the world, but it’s the intelligence and expert insights that make all the difference when it comes to detecting and mitigating threats.

Fortunately, Kaspersky Threat Intelligence Portal (TIP) provides reliable, immediate intelligence about cyber threats, legitimate objects, and their interconnections and indicators — all enriched with actionable context, so you can inform your business or clients about the associated risks and implications. Now, you can mitigate and respond to threats more effectively, defending your system against attacks even before they are launched. DNIF, on the other hand, is a real-time big data analytics platform that goes hand in hand with Kaspersky’s TIP service. Used by some of the largest banks and telecom companies in India, the primary use case is that of a SIEM (security information and event management) platform.

Consider this: DNIF is a big data analytics platform, capable of ingesting terabytes of log data, parsing that information, storing it and running real-time analytics on the data set. Meanwhile, Kaspersky’s Threat Intelligence Portal delivers all the knowledge acquired by Kaspersky Lab about cyber threats and their relationships through a powerful, unified web service. Operating in concert, the two systems provide your security teams with as much relevant data as possible in order to prevent cyberattacks that could impact your organization. The platform retrieves the latest detailed threat intelligence about URLs, domains, IP addresses, file hashes, statistical/behavioral data, WHOIS/DNS data, and so on. The result is global visibility of new and emerging threats, helping you secure your organization and bolstering incident response.

Using the Kaspersky Threat Intelligence Portal API and DNIF

The Kaspersky Threat Intelligence Portal API is found on github at https://github.com/dnif/lookup-kaspersky

Getting started with Kaspersky Threat Intelligence Portal API and DNIF

  1. Login to your Data Store & Correlator containers.Click here to know how.
  2. Move to the /dnif/<Deployment-key/lookup_plugins folder path:
    $cd /dnif/CnxxxxxxxxxxxxV8/lookup_plugins/
    
  3. Clone using the following command git clone
    git clone https://github.com/dnif/lookup-kaspersky.git
    
  4. Kaspersky Threat Intelligence Portal API certificate in PEM format:
    • You must convert the certificate received from your dedicated Kaspersky Lab Technical Account Manager to PEM format before working with the Kaspersky Threat Intelligence Portal API.
    • For more details on this click here to know how.
    • Save the .pem certificate in a safe path.
  5. Edit dnifconfig.yml configuration file by moving to the /dnif/<Deployment-key/lookup_plugins/kaspersky/ folder path.

Replace the fields with your Kaspersky Threat Intelligence Portal credentials lookup_plugin:

KASPERSKY_API_USERNAME: <Add_your_api_username_here>
KASPERSKY_API_PASSWORD: <Add_your_api_path_here>
KASPERSKY_API_CERT_PATH:  </path/to/your/.pem>

Once the Kaspersky TIP is integrated with DNIF, there are a host of API calls that can be executed from the DNIF console. We will cover each one of them in the next blog and also feature a few use-cases. However, If you would like to have an overview of all the awesome features that comes with this integration, feel free to check out - Threat Validation Made Easy With Kaspersky TIP

We’d like to end this post by thanking Team Kaspersky for all of the assistance and support they have provided.

effective security automation playbooks