Purchase Of Laboratory Instruments & Other Items; Item No. 33 - Malware Forensic Tool - 1 No.; 1 The bidder should provide a SaaS based web portal offering Malware Threat lntelligence and Dark Web Research/monitoring capability for 5 users. The solution should also be offered with an API based integration for ingesting alerts and lOCs, bulk enrichment of lOCs etc. 2 The OEM solution must comply to the following certifications: A. lso 27001 B. rso 27701 C. GDPR Compliant and member of EU-US Privacy Shield Framework D. ISO 9001 Compliant 3 Threat Intel OEM must be in existence for more than 15 years and the offered solution portal should have readily searchable data about customer (for upto last 10 years) with the specific dates of event. The OEM shall need to demonstrate the same at the time of technical evaluation. 4 The complete solution should be from a single OEM and not multiple OEMs. Customer evaluation team may ask the bidder/OEM to technically demonstrate some of the key specifications. The bidder should consider all requirements as mandatory. 5 The solution must be offered with API/REST API based integration to provide high severity block grade Threat feeds about malwares and hashes (e.9. high risk score or risk rating very critical, high etc) The Threat feeds must be auto updated every 4 hours for lP addresses, domains and URLs and at least every 24 hours for hashes 7 It shall be possible to check the current risk score/rating or confidence level of any IOC like lP Address, domain, URL, hash etc with reasons of why an IOC is good or bad. The scoring mechanism shall be made available to understand why any IOC is risky. I The provider shall provision adequate professional services from the Tl OEM or its authorized partners for one{ime configuration of the Tl feeds with Customer SIEM and shall provide 1- day training. o The solution must provide complete intelligence (historical and latest) about customer and other entities sourced from proprietary and OSINT sourced collection methods, in a single viewing pane with the following minimum information. (i) lP Addresses (ii) Domains (iii) Hashes (iv) URLs (v) Malwares (vi) Threat Actors (vi) OEM research reports (vii) Hunting Packages, like YARA, SIGMA and SNORT Rules 10 The solution should provide for a searchable malware sample repository to identify and better understand malware behaviour. 11 The solution must have a capability to alerts based on specific criteria to stay ahead of emerging threats related to the malware behaviours 12 The solution must have a Malware Hunting feature, where users can simply type questions and prompts in plain English and get immediately actionable search results to understand and mitigate malware. 13 The malware hunting should offer information for both static and behavioural malware analysis, including command lines, registry keys, lOCs, PE imports and more. 14 The solution should be able to autogenerate YARA rules based on the malware samples selected. 15 The solution must have an actionable API to perform the following activity: a) Query Malware lntelligence data with query language b) Query Malware lntelligence data with natural language c) Query Malware lntelligence data with lists of entities d) Fetch sandbox reports for a given sha256 hash and query 12 The solution must offer an option to export the search result in formats such as CSV, DOCX, JSON, PNG 13 The solution should be able to display the searched data in various types of views such as list view, timeline-based view, MAP based view and Source based View 14 The solution must have integrated GPT/OpenAl capability to summarize the top search results into Narrative view and bulleted summary. 15 The web portal must provide context or co-references with other lOCs. (Eg other lP addresses within the CIDR and their risk scores/rating). 16 The web portal shall allow download for hunting packages such as YARA rules, SIGMA rules, SNORT Rules and MITRE ATT&CK ldentifiers (T codes) to assist in hunting for adversaries, malware, or traffic of interest wherever available. The hunting packages shall be coming from its own Threat lntelligence rather than from third party. 17 The OEM must provide for sector specific intelligence kits which are collection of pre-built use cases including custom advanced queries, based on specific industries or areas of interest. 18 The solution should be able to automatically generate Ransomware reports on weekly and monthly basis using integrated OpenAl/GPT capabilities and not via a human analysUsupport request. . 19 The solution should be offered with a web browser extension for Chrome, Mozilla Firefox and Chromium-based Microsoft Edge that should scan any webpage in real time, identify relevant entities, and presents a list of entities detected along with their risk scores. 20 The browser extension must highlight the total number of lOCs(lOCs like lP, URL, hash, domain and CVE) are identified on the page with their associated risk scores. lOCs should be highlighted on the page itself using different color codes for critical, medium and low severity. 21 Browser extension must ensure that the information is organized in descending order by risk score Risk score/severity that assist in prioritization of lOCs being shown on the page for reducinq triage time for analyst. 22 A fully featured browser extension must be provide to all the licenced analysts under this contract 23 The browser extension should provide an option to highlight a Malware or Threat Actor name on a page and provide for context specific menu (say right-click,etc) to provide a shortcut to access the detailed threat intelliqence about the same. 24 The browser extension must have the capability to export the IOC such as lP, Domains, URLs, Hash files and vulnerabilities into separate CSV files directly from the browser plugin 25 The solution must Monitor Discussions of Malicious actors asking for/selling confidential information or selling breached databases, etc 26 The solution must provide most recent lOCs (upto last 90 days) for malware or a Threat Actor with one click export to CSV formats 27 The solution must also crawl multiple anonymous messaging platforms like telegram, discord to detect any malware sampels shared 28 The provider shall provide the facility for searching the categorization of the historical data of the threat actor, threat activity, threat objects (historical data of the lPs, URLs, etc. used by the malicious entity) linked on a single view. 29 The solution must provide push notifications for most critical alerts, and provide IOC search capability on-the-go from mobile app available via Apple Store on Google Play store 30 The solution must be provided with 2417 access to the support team via web, email and phone. 31 The solution must be offered with a TechnicalAccount Manager/Customer Success Manager directly from the OEM to offer the following services : Provide enablement around licenced product and services Handle customer support issues and feature request Provide insights into the product usage and benchmarking of alerts against lndustry peers Provide training and enablement on new product features and services Provide in person Threat Briefings lCustom workshops and table top exercises/ Detailed reporting on topics/events/industries of customer interest considering 1 such activity twice a year
