Skip to main content

Cyware Threat Intelligence eXchange

Prerequisites

Ensure that you meet the following prerequisites before initiating the deployment. To use this guide successfully, Cyware recommends you to be familiar with deploying software on Linux Servers and installing a database on the Linux Enterprise Server.

Since the environmental configurations vary, Cyware engineers can offer only general guidance for your specific AWS environment. Hence, Cyware strongly recommends you engage a technical resource with expertise in your environment to validate the prerequisites and be accessible during the deployment process.

Note

The default shell that is used for the Intel Exchange deployment is Bash.

Network Requirements

Share the public gateway IP address of your servers with the Cyware team, so that we can add the IP addresses to our Allow List and enable access to our repository domains.

Cyware recommends you provision and assign Elastic IP addresses to the deployed EC2 instances to ensure that the IP addresses do not change during routine AWS maintenance. If you choose to assign Elastic IP addresses to the instances, share the IP addresses with the Cyware team.

Synchronize with NTP Server

Synchronize the server used in the Intel Exchange deployment with the Network Time Protocol server of the organization. To check if the system clock is synchronized and NTP is active, run the following command:

timedatectl
Allow Cyware Domains

Add the following Cyware domains to your Allow List. You will require access to these domains during the deployment to download the installation package. You will also need access to the production license server and Cyware Support.

  • The Docker registries from which the installer and configuration files can be downloaded:

    • https://packages.cyware.com/: Stores the Python libraries required to execute apps at the run-time.

    • https://prod.packages.cyware.com: Stores the build packages of Cyware products.

  • https://cylms.cyware.com: License management repository that stores license properties and details allocated to an instance of Cyware product.

  • https://support.cyware.com/hc/en-us: ITSM portal for customers to contact the Cyware support team for assistance.

  • https://techdocs.cyware.com: Technical documentation portal of Cyware.

  • https://appstore.cyware.com: Stores the Appstore apps and the custom apps

Intranet Connectivity

Source

Destination

Direction

Port

Comments

Proxy/Firewall

Web App Server

Unidirectional

443

To enable inbound traffic.

Web App Server

Database Server

Unidirectional

29092, 9092, 5432, 9200, 6379, 6378, 2181

To enable Docker communications to the database services.

Note

Ensure that you add the ports mentioned in the table to the Allow List of the necessary Security Group, Network Access Control List (NACL), and Firewall.

Proxy Configuration

If you have a proxy that acts as a gateway between your users and the internet, it should be configured beforehand in all the servers that you use for deployment to ensure network connectivity to Cyware repositories. You can configure the proxy for Intel Exchange in the vars.yml file. For more information, see the Update Vars File section in Deployment Procedure.

For more information on how to configure proxy on a Linux server, see Configure Proxy on Linux Server.

Domain Details

If you need the Intel Exchange platform to be available on a specific domain name, have these handy:

  • Domain Name: Custom domain name on which you want to access the application. For example: https://tenantcode.myorg.com. You can configure the domain and tenant code of the application in the vars.yml file during deployment. For more information, see section Update Vars File in Deployment Procedure.

  • SSL Certificates are required with the following details:

    Note

    You can also generate and use a self-signed SSL certificate. For more information, see Create Self-Signed SSL Certificate.

    • Root, intermediate, and domain certificates in .crt format

    • The private key of the domain certificate

    Store the SSL Certificate (.crt) and Key (.key) files in the /etc/ssl directory as ssl.crt and ssl.key respectively.

  • DNS Configuration on Public/Internal DNS server: Configure domain name resolution on the application’s Web/Virtual IP/Loadbalancer’s IP address.

Application Load Balancer

Application Load Balancer (ALB) provides a robust solution to manage the traffic flow, optimize the delivery of services, and maintain a secure communication channel with clients. For optimal performance and security, Cyware strongly recommends you implement an AWS Application Load Balancer (ALB) to terminate client SSL/TLS and manage proxy connections to the Cyware Services on the backend.

Allow External URLs
  • (Optional) App URLs: Allow outbound connection to the third-party application URLs that you want to integrate with CTIX. For example, Crowd Strike, Alien Vault, and more.

  • (Optional) SSO/SAML URL: Add the embed URL of the SSO/SAML authentication app that you are using to the Allow List. For more information, see Configure SAML 2.0 as the Authentication Method.

  • (Optional) LDAP URL: Add the URL of the LDAP authentication app that you are using to the Allow List.

  • (Optional) Google Sign-In URL: Add the following URL to the Allow List to enable the Google Sign-In authentication method: https://accounts.google.com/gsi/client

  • Google URL: Allow outbound connections to the following Google URLs:

    • https://fonts.gstatic.com: To render the Google fonts that are used in the CTIX application

    • https://maps.googleapis.com: To render Google Maps and display a map view of the IP threat data.

  • MITRE ATT&CK Navigator URL: Allow outbound connections to the following GitHub URLs to allow access to the MITRE ATT&CK Navigator repository: 

    • https://github.com/mitre-attack 

    • https://raw.githubusercontent.com/MISP/ 

    • https://raw.githubusercontent.com/mitre/ 

  • Public Suffix URL: Allow outbound connections to the following public suffix URL to render TLD-related widgets in the CTIX dashboards: https://publicsuffix.org/list/public_suffix_list.dat