OASIS Cyber Threat Intelligence (CTI) TC

 View Only

Example Reference Implementations: CRITs

  • 1.  Example Reference Implementations: CRITs

    Posted 06-25-2015 18:42
      |   view attached
    [Note:  Fully documenting examples of existing capabilities, along with easy to deploy evaluation frameworks, and establishing the form/structure/delivery of this content will be one of the objectives for the Engagement SC.  So this is admittedly rough...] CRITs I want to share an example of an existing Open Community developed, integrated analysis framework that is working well today. Four related slides from a recent presentation given at the FIRST Conference in Berlin are attached.  CRITs leverages existing STIX/CybOX/TAXII Standards to move us beyond current, portal based, stove-piped, manual "Copy/Paste" CTI exchange paradigms.  With CRITs, and the supporting open community developed ecosystems, we are empowering Analyst driven inter-exchange of rich CTI and analysis that maintains context and relationships within given campaigns and in the broader context of Adversary TTPs over time. Current efforts are focused on (1) extending concepts like "releasability" to better control flow of CTI both within and outside of a given "Community of Trust",(2) better methods for mapping of CRITs concepts, vocabularies, and relationships through STIX/CybOX, and broader support for the ingestion/mapping of additional STIX/CybOX Objects not currently represented in CRITs.  So this is not a panacea,  there are challenges! However, using the stable releases of active development branches of the following components:   (1) CRITs Top Level Objects (TLOs: Indicators, Samples, Emails, PCAPs, Artifacts, etc.) can be reliably inter-exchanged between CRITs instantiations directly or within "Event" Containers/Packages. (2) The Analyst does not need (nor care) to know anything about the underlying CTI complexities.  They select what they want to share, and with whom. Components: (1) CRITs (Stable_4 Branch):   https://github.com/crits/crits (2) CRITs Services (Community/Vendor developed analysis, transformation, CTI enrichment Plug-Ins, Web Services/APIs**):   https://github.com/crits/crits_services OPSWAT_Service anb_service carver_service chminfo_service chopshop_service clamd_service crits_scripts cuckoo_service data_miner_service diffie_service entropycalc_service farsight_service machoinfo_service meta_checker metacap_service office_meta_service opendns_service** passivetotal_service** pdfinfo_service peinfo_service pyew pyinstaller_service relationships_service shodan_service snugglefish_service ssdeep_service stix_validator_service taxii_service threatgrid_service** threatrecon_service** timeline_service totalhash_service unswf_service upx_service virustotal_service** whois_service** yara_service zip_meta_service (3) CRITs <==> Soltra Edge (Integrates CRITs with Soltra Edge Gateway via CRITs API): ( https://github.com/security-automation/crits-adapter ) (4) Soltra Edge TAXII Gateway reference implementations ( https://www.soltra.com )  Full evaluation CRITs <=> TAXII <=> CRITs instantiations can be established fairly quickly if you have exposure to VMWare/Virtualbox and Vagrant.  Otherwise, a fully functional  instantiation can be established from scratch in about two hours of effort.  Note that implementing the full suite of CRITs Services above can require subscriptions/ API Keys  for external services, and an additional 2-4 hours to configure and install dependancies, frameworks, etc.   Efforts are underway to build "Docker" instantiations as well.  Please feel free to reach out directly if interested in discussing current options for building demo/evaluation instantiations. Again, this is just one illustrative example. Patrick Maroney Office:  (856)983-0001 Cell::     (609)841-5104 Email:   pmaroney@specere.org Attachment: Presentation1.pdf Description: Presentation1.pdf

    Attachment(s)

    pdf
    Presentation1.pdf   1.16 MB 1 version