Current ThreatQ Version Filter
 

CISA Advisories CDF

The web format of this guide reflects the most current release.  Guides for older iterations are available in PDF format.  

Integration Details

ThreatQuotient provides the following details for this integration:

Introduction

The CISA Advisories CDF consumes data provided by the CISA to notify organizations about threats that exist on the Internet.

The integration provides the following feed:

  • CISA Advisories - creates a ThreatQ Alert Event and any related objects.

The integration ingests the following system objects:

  • Events
    • Event Attributes
  • Indicators
    • Indicator Attributes
  • Incidents
  • TTPs
    • TTP Attributes
  • Vulnerabilities

Installation

Perform the following steps to install the integration:

The same steps can be used to upgrade the integration to a new version.

  1. Log into https://marketplace.threatq.com/.
  2. Locate and download the integration file.
  3. Navigate to the integrations management page on your ThreatQ instance.
  4. Click on the Add New Integration button.
  5. Upload the integration file using one of the following methods:
    • Drag and drop the file into the dialog box
    • Select Click to Browse to locate the integration file on your local machine

    ThreatQ will inform you if the feed already exists on the platform and will require user confirmation before proceeding. ThreatQ will also inform you if the new version of the feed contains changes to the user configuration. The new user configurations will overwrite the existing ones for the feed and will require user confirmation before proceeding.

  6. The feed will be added to the integrations page. You will still need to configure and then enable the feed.

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

To configure the integration:

  1. Navigate to your integrations management page in ThreatQ.
  2. Select the OSINT option from the Category dropdown (optional).

    If you are installing the integration for the first time, it will be located under the Disabled tab.

  3. Click on the integration entry to open its details page.
  4. Enter the following parameters under the Configuration tab:
    Parameter Description
    Enable SSL Certificate Verification Enable or disable verification of the server's SSL certificate.  
    Disable Proxies Enable this option if the feed should not honor proxies set in the ThreatQ UI.
    Truncate Description Enable this parameter to truncate the long descriptions that may have a negative impact to the platform - see the Known Issues / Limitations section for more details. Enabling this parameter will not impact the integration's indicator parsing process. Truncated descriptions will also include a See Full Report link.  
    Parse for Selected Indicators Select which indicator types to parse for with alerts. Options include:
    • CVEs
    • MD5 Hashes
    • SHA-1 Hashes
    • SHA-256 Hashes
    • SHA-512 Hashes
    • IP Addresses
    • URLs
    • FQDNs

    This does not apply to parsed STIX files.
    Ingest CVEs As Select the ThreatQ object type to ingest the CVEs as into ThreatQ. Options include:
    • Indicators (type: CVE)
    • Vulnerabilities (default)
    Configuration Screen
  5. Review any additional settings, make any changes if needed, and click on Save.
  6. Click on the toggle switch, located above the Additional Information section, to enable it.

ThreatQ Mapping

CISA Advisories

The CISA Advisories, Get Report HTML (Supplemental), and Get Attachment (Supplemental) feeds bring in information about current security issues, vulnerabilities and exploits into ThreatQ.

The CISA Advisories CDF creates a ThreatQ Alert Event and any related Indicators, TTPs and Incidents.

GET https://www.cisa.gov/cybersecurity-advisories/cybersecurity-advisories.xml

Sample Response:

<?xml version="1.0" encoding="utf-8"?>
<rss xmlns:dc="http://purl.org/dc/elements/1.1/" version="2.0" xml:base="https://www.cisa.gov/">
  <channel>
    <title>CISA Cybersecurity Advisories</title>
    <link>https://www.cisa.gov/</link>
    <description/>
    <language>en</language>
    
    <item>
  <title>#StopRansomware: BianLian Ransomware Group</title>
  <link>https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a</link>
  <description>&lt;h3&gt;Summary&lt;/h3&gt;
&lt;p&gt;&lt;em&gt;Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit &lt;/em&gt;&lt;a href="https://www.cisa.gov/stopransomware"&gt;&lt;em&gt;stopransomware.gov&lt;/em&gt;&lt;/a&gt;&lt;em&gt; to see all #StopRansomware advisories and learn more about other ransomware threats and no-cost resources.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Cyber Security Centre (ACSC) are releasing this joint Cybersecurity Advisory to disseminate known BianLian ransomware and data extortion group IOCs and TTPs identified through FBI and ACSC investigations as of March 2023.&lt;/p&gt;
&lt;table&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;div&gt;
&lt;p&gt;&lt;strong&gt;Actions to take today to mitigate cyber threats from BianLian ransomware and data extortion: &lt;/strong&gt;&lt;br /&gt;
			• Strictly limit the use of RDP and other remote desktop services.&lt;br /&gt;
			• Disable command-line and scripting activities and permissions.&lt;br /&gt;
			• Restrict usage of PowerShell and update Windows PowerShell or PowerShell Core to the latest version.&lt;/p&gt;
&lt;/div&gt;
&lt;/td&gt;
&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;p&gt;BianLian is a ransomware developer, deployer, and data extortion cybercriminal group that has targeted organizations in multiple U.S. critical infrastructure sectors since June 2022. They have also targeted Australian critical infrastructure sectors in addition to professional services and property development. The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega. BianLian group actors then extort money by threatening to release data if payment is not made. BianLian group originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data; however, around January 2023, they shifted to primarily exfiltration-based extortion.&lt;/p&gt;
&lt;p&gt;FBI, CISA, and ACSC encourage critical infrastructure organizations and small- and medium-sized organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of BianLian and other ransomware incidents.&lt;/p&gt;
&lt;p&gt;Download the PDF version of this report (710kb):&lt;/p&gt;
</description>
  <pubDate>Mon, 15 May 2023 12:29:37 EDT</pubDate>
    <dc:creator>CISA</dc:creator>
    <guid isPermaLink="false">/node/18174</guid>
    </item>
  </channel>
</rss>

ThreatQuotient provides the following default mapping for this feed:

Feed Data Path ThreatQ Entity ThreatQ Object Type or Attribute Key Published Date Examples Notes
.rss.channel.item[].title Event.title N/A .rss.channel.item[].pubDate CISA and Partners Release BianLian Ransomware Cybersecurity Advisory N/A
N/A Event.type Alert N/A Alert N/A
.rss.channel.item[].description Event.description N/A N/A CISA, the Federal Bureau of Investigation (FBI), and the Depending on the description length, the value can be replaced by the actual article's HTML. That HTML is get by Get Report HTML (Supplemental) feed
.rss.channel.item[].pubDate Event.happened_at N/A N/A Tue, 16 May 23 12:00:00 +0000 N/A
N/A Event.attribute/
indicator.attribute/
Vulnerability.attribute		 CISA Advisories .rss.channel.item[].pubDate True N/A
N/A Event.attribute Alert type .rss.channel.item[].pubDate CISA Advisories N/A
.rss.channel.item[].link Event.attribute URL .rss.channel.item[].pubDate https://www.cisa.gov/news-events/alerts/2023/05/16/cisa-and-partners-release-bianlian-ransomware-cybersecurity-advisory N/A
.rss.channel.item[].description Event.attribute PDF Link .rss.channel.item[].pubDate N/A The link is extracted from the article's description
.rss.channel.item[].description Event.attribute Stix Link .rss.channel.item[].pubDate N/A The link is extracted from the article's description
.rss.channel.item[].description Indicator.value <Various Types> .rss.channel.item[].pubDate N/A User-configurable. Indicators are parsed out of the description
.rss.channel.item[].description Indicator.value/
Vulnerability.value		 CVE .rss.channel.item[].pubDate N/A User-configurable. CVEs are parsed out of the description. If 'CVEs' selected in Parse For Selected Indicators.
STIX File (Indicator,TTP,
Incident).value		 Indicator, TTP, Incident .rss.channel.item[].pubDate N/A STIX file is get by the Get Attachment (Supplemental) feed and then it's parsed for the indicators, TTPs, and incidents

Average Feed Run

Object counts and Feed runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and Feed runtime may vary based on system resources and load.

Metric Result
Run Time 2 minutes
Events 10
Event Attributes 30
Indicators 907
Indicator Attributes 2,373
TTPs 37
TTP Attributes 37

Known Issues / Limitations

  • Descriptions exceeding 32,000 characters are ingested but not indexed due to a platform limitation. As a result, Events with large descriptions will not appear on the ThreatLibrary page and can only be located through a direct search. To prevent this issue, enable the Truncate Description configuration parameter. When truncation is applied, a See Full Report link is added at the end of the description, and indicator parsing remains unaffected.

Change Log

  • Version 1.0.3
    • Added a new configuration parameter: Truncate Description. Enable this parameter to truncate the long descriptions and include a link to the full report. 
    • Added a new Known Issues / Limitation entry - descriptions exceeding 32,000 characters are ingested but not indexed due to a platform limitation. As a result, Events with large descriptions will not appear on the Threat Library page and can only be located through a direct search.
  • Version 1.0.2
    • Resolved an indicator parsing issue that resulted in incomplete ingestion of advisory content.
    • The integration will no longer truncate object descriptions.
    • Added the following new configuration parameters:
      • Disable Proxies - determine if the feed should honor proxies set in the ThreatQ UI.
      • Ingest CVEs As - select whether to ingest the CVEs as indicators (cve) or vulnerabilities.
    • Added the following new options for the Parse for Selected Indicators configuration parameter:
      • IP Addresses
      • URLs
      • FQDNs
    • Updated the minimum ThreatQ version to 5.19.0.
  • Version 1.0.1
    • Resolved a date parsing issue.  
  • Version 1.0.0
    • Initial release

PDF Guides

Document ThreatQ Version
CISA Advisories CDF Guide v1.0.3 5.19.0 or Greater
CISA Advisories CDF Guide v1.0.2 5.19.0 or Greater
CISA Advisories CDF Guide v1.0.1 4.52 or Greater
CISA Advisories CDF Guide v1.0.0 4.52 or Greater