This tool helps customers import VMware Carbon Black EDR-provided threat intelligence feeds into EDR servers installed inside an isolated network. This script will export a subset of the CB Collective Defense Cloud Threat Intelligence Feeds into a set of JSON files which can then be copied and imported into an airgapped EDR server.
The following feeds are supported by this tool:
Other CB Collective Defense Cloud feeds are not able to be exported as they require the target EDR server to be online and actively communicating with the Collective Defense Cloud.
To use this tool, you will need two EDR servers, one with access to the Internet and the CB Collective Defense Cloud (the “source”), and one that is disconnected from the Internet (the “destination”). The first server will run the script in “export” mode to download the feeds from the CB Collective Defense Cloud and save them to a local directory. This directory is then burned to CD, copied to USB, or otherwise transferred to the “destination” server through a secure means. The folder includes a copy of the script plus the contents of all the feeds exported from the CB Collective Defense Cloud.
Once the folder arrives on the destination server, the script is then run in “import” mode to import the feed contents into the isolated EDR server. This process can be repeated on a regular basis to keep the copies of the feeds on the “destination” server in sync with the feeds from the CB Collective Defense Cloud.
Run the /usr/share/cb/cbfeed_airgap
script on the “source” system with a -f
argument indicating
the folder where the feeds should be saved. This folder could be on a mounted USB stick, or
a temporary directory that will be burned to CD-ROM. For example:
# ./usr/share/cb/cbfeed_airgap export -f /tmp/blah
exporting threat intelligence feeds to /tmp/blah
...
# cp -rp /tmp/blah /media/USB
# umount /media/USB
Note: Include a -v option for verbose logging to /var/log/cb/cli/cli.log
Copy the files to your destination server.
Change into the directory containing the script and feeds
folder that you copied from the
“source” server.
Run the /usr/share/cb/cbfeed_airgap
script on the “destination” system in “import” mode. For example:
# ./usr/share/cb/cbfeed_airgap import
importing threat intelligence feeds from /media/USB
...