The Airgap tool helps you import Carbon Black EDR-provided threat intelligence feeds into Carbon Black EDR servers that are installed inside an isolated network.

This script exports a subset of the Carbon Black Collective Defense Cloud Threat Intelligence Feeds into a set of JSON files that can be copied and imported into an airgapped Carbon Black EDR server.

The following feeds are supported by this tool:

  • abuse.ch Indicators of Compromise

  • Malware Domain List

  • Tor exit nodes

  • Carbon Black Advanced Threat Indicators

  • Carbon Black Community Feed

  • Carbon Black Early Access Feed

  • Carbon Black Suspicious Indicators

  • Carbon Black Endpoint Visibility Feed

  • Carbon Black Known IOC Feed

  • SANS Threat Hunting Feed

  • AlienVault Open Threat Exchange

  • Facebook Threat Exchange TLP White Indicators

  • ThreatConnect

  • MITRE ATT&CK Feed

Other Carbon Black Collective Defense Cloud feeds cannot be exported because they require the target Carbon Black EDR server to be online and actively communicating with the Collective Defense Cloud.

For support of the Airgap tool:

  • View all API and integration offerings on the VMware Carbon Black EDR Developer Network, together with reference documentation, video tutorials, and how-to guides.
  • Use the Developer Community Forum to discuss issues and get answers from other API developers in the VMware Carbon Black Community.

  • Report bugs and change requests to VMware Carbon Black Support.

Run the Airgap Tool

Use the Airgap tool to provide feeds from the Carbon Black Collective Defense Cloud to an airgapped Carbon Black EDR server.

The source server runs the script in export mode to download the feeds from the Carbon Black Collective Defense Cloud and save them to a local directory. This directory is then burned to CD, copied to USB, or otherwise transferred to the destination server through a secure means. The folder includes a copy of the script plus the contents of all the feeds exported from the Carbon Black Collective Defense Cloud.

After the folder arrives at the destination server, the script is run in import mode to import the feed contents into the isolated Carbon Black EDR server. This process can be repeated on a regular basis to keep the copies of the feeds on the destination server synchronized with the feeds from the Carbon Black Collective Defense Cloud.

Prerequisites

To use this tool, you need two Carbon Black EDR servers: one that has Internet access and the Carbon Black Collective Defense Cloud (the source), and one Carbon Black EDR server that is disconnected from the Internet (the destination).

Procedure

  1. Run the /usr/share/cb/cbfeed_airgap script on the source system using an -f argument to indicate the folder where the feeds should be saved. This folder can be on a mounted USB stick, or a temporary directory that will be burned to CD-ROM. For example:
    # ./usr/share/cb/cbfeed_airgap export -f /tmp/blah
    exporting threat intelligence feeds to /tmp/blah
    # cp -rp /tmp/blah /media/USB
    # umount /media/USB
    ...
    Note: Include a -v option for verbose logging to /var/log/cb/cli/cli.log.
  2. Copy the files to the destination server.
  3. Go to the directory that contains the script and feeds folder that you copied from the source server.
  4. Run the / usr/share/cb/cbfeed_airgap script on the destination system in import mode. For example:
    # ./usr/share/cb/cbfeed_airgap import
    importing threat intelligence feeds from /media/USB
    ...