Cyware Threat Intelligence eXchange

Cyware Query Language (CQL) is a powerful and flexible way to search for threat data in CTIX. CQL allows analysts can to build powerful queries with sophisticated logic, append multiple conditions, drill deeper into the voluminous intel, and retrieve specific threat data.

The CQL helps you gain significant operational insights into your data and make informed decisions.

Analysts can use CQL to:

Cyware Threat Intel Crawler is a browser extension that uses Machine Learning (ML) and Natural Language Processing (NLP) to automatically scan and detect threat intel from any web-based content and operationalize it in CTIX.

The Threat Intel Crawler identifies and highlights all the cyber threat intelligence information such as Indicators of Compromise (IOCs), threat actors, malware, attack patterns, etc displayed on the content in your browser. This could be in articles detailing the latest threats, threat bulletins, an email with information about a breach, or a raw intelligence threat feed.

Using Cyware Threat Intel Crawler, analysts can:

The Threat Bulletin module in CTIX is revamped and analysts can now receive, create, share, and publish threat bulletins from CTIX. A threat bulletin is a summary of recent activities, emerging trends, or research analysis data that analysts can create or receive from external sources. It helps to share or receive data within organizations and keep pace with the evolving cyber threat landscape.

The newly introduced WYSIWYG threat bulletin editor in CTIX allows analysts to create informative and visually appealing content that can include threat data objects, threat investigation visual canvas, MITRE ATT&CK Navigator tactics & techniques, tables, images, or attachments.

In CTIX, analysts can:

Analysts can gather threat intelligence from various sources and also build their own intelligence in the form of STIX packages and share them with subscribers. Analysts can manually ingest intel in CTIX in the following ways:

Using watchlists in CTIX, you can add surveillance for, or closely monitor, any keywords, IP addresses, hashes, domains, URLs, and malware, within the intel received in CTIX.

You can monitor for the keyword occurrences from watchlists or you can opt for email notifications.

To monitor changes and keep track of user activity in the system, CTIX provides you with Audit Log Management. These detailed audit logs can help administrators to monitor data and make sure that users in the system follow the organization's defined protocols.

Track the following important changes in CTIX:

Analysts can perform a lookup for a set of IOCs and check if they are present in the CTIX application. They can upload a CSV, XLS, or XLXS file with IOCs and CTIX analyzes this information and shows:

CTIX offers a hub and spoke model for easy and secure sharing of threat intelligence data.

The CTIX hub acts as a parent organization or a source collection where all the information is stored and shared with spokes while protecting each member's identity.

CTIX spoke is a subsidiary entity of CTIX and offers a set of specific CTIX features based on your license. A spoke polls data from the selected CTIX collections.

The hub and spoke model enables and enhances the bi-directional exchange of threat intelligence data through real-time sharing of IOCs, TTPs, incidents, threat actor data, Courses of Action, or any STIX objects between the parent and the child organizations.

CTIX allows admins to create and manage multiple spokes for threat intel sharing based on your license and subscription plan.

The Threat Data module in CTIX has been completely revamped in this release. The user interface is greatly enhanced to encapsulate all the comprehensive details for every threat data object in CTIX.

For any threat data object, all its properties, actions, tasks, feed sources, feed enrichment sources, enrichment details, confidence score, and more are grouped in one place.

Analysts can access all the information and decide the further course of action.

Reporting module in CTIX is now revamped to give you the ability to create customized reports using search filters, CQL, or saved searches.

Analysts can:

The Threat Investigations module now comes with the Timeline support. The Timeline on the Threat Investigation canvas, lets you know the exact date and time for any operation or activity on the threat data or its related objects.

Analysts can combine the visualization and timeline views in Threat Investigations to:

The Diamond Model breaks down the individual attacks and categorizes them along four main vertices: Infrastructure, Capability, Adversary, and Victim.

The Threat Investigations module in CTIX now supports the Diamond Model of Intrusion Analysis and enables analysts to visualize this information on a canvas. You can associate the threat intel to the diamond model vertices such as adversary, capability, infrastructure, or victim for an event.

You can also perform a diamond model enrichment on individual nodes and see the correlated, extensive, and complete information on their threat intel.

This allows analysts to:

MITRE ATT&CK is a documented collection of information about malicious behaviors, adversary tactics and techniques, based on real-world cyber attacks.

CTIX comes with a built-in ATT&CK Navigator that enables security teams to visualize and track adversaries’ footprints by mapping tactics and techniques against reported IOCs, malware, or threat actors. Analysts can use this information to identify trends across the cyber kill chain and associate them with the received intel in CTIX. Through this analysis, you can get actionable insights and make informed decisions earlier in the attack lifecycle.

Using the ATT&CK Navigator framework in CTIX, analysts can:

The following features are deprecated in the CTIX 3.0 release.