Release Notes 3.1
New Features
Cyware Query Language (CQL)
Cyware Query Language (CQL) is a powerful and flexible way to search for threat data in CTIX. CQL allows analysts can to build powerful queries with sophisticated logic, append multiple conditions, drill deeper into the voluminous intel, and retrieve specific threat data.
The CQL helps you gain significant operational insights into your data and make informed decisions.
Analysts can use CQL to:
Search for information in the revamped Threat Data module.
Schedule specific reports in the revamped Reporting module.
Include specific threat data and information in your Threat Bulletins.
Save and reuse the CQL queries in saved searches.
Cyware Threat Intel Crawler
Cyware Threat Intel Crawler is a browser extension that uses Machine Learning (ML) and Natural Language Processing (NLP) to automatically scan and detect threat intel from any web-based content and operationalize it in CTIX.
The Threat Intel Crawler identifies and highlights all the cyber threat intelligence information such as Indicators of Compromise (IOCs), threat actors, malware, attack patterns, etc displayed on the content in your browser. This could be in articles detailing the latest threats, threat bulletins, an email with information about a breach, or a raw intelligence threat feed.
Using Cyware Threat Intel Crawler, analysts can:
Operationalize threat intel in CTIX: Scrape a webpage and create machine-readable threat intel in CTIX.
Threat intel Lookup in CTIX: Hover over the highlighted entities from a webpage for a quick summary of the intel from CTIX. Use CTIX to extend your research and gain more context into the threat data.
Export Threat intel: Export the scraped threat intel from the webpage into a CSV file for reporting, collaboration, or offline analysis.
Multi-Tenancy and Automatic login with CTIX: Compatible with multiple instances of the CTIX application and multiple Cyware products like CTIX and Cyware Situational Awareness Platform(CSAP). To get started, sign in to CTIX and launch the Cyware Threat Intel Crawler from the CTIX application's browser tab.
Multi-Browser support: Compatible with Google Chrome, Mozilla Firefox, and Microsoft Edge browsers.
Threat Bulletin
The Threat Bulletin module in CTIX is revamped and analysts can now receive, create, share, and publish threat bulletins from CTIX. A threat bulletin is a summary of recent activities, emerging trends, or research analysis data that analysts can create or receive from external sources. It helps to share or receive data within organizations and keep pace with the evolving cyber threat landscape.
The newly introduced WYSIWYG threat bulletin editor in CTIX allows analysts to create informative and visually appealing content that can include threat data objects, threat investigation visual canvas, MITRE ATT&CK Navigator tactics & techniques, tables, images, or attachments.
In CTIX, analysts can:
Create threat bulletins
Receive threat bulletins
Create intel in CTIX from the threat bulletins
Share threat bulletins to other organizations or subsidiaries through PDFs or emails
Publish threat bulletins in STIX format to your subscribers
Manual Threat Intel Creation
Analysts can gather threat intelligence from various sources and also build their own intelligence in the form of STIX packages and share them with subscribers. Analysts can manually ingest intel in CTIX in the following ways:
Quick Add Intel: To add a few threat data objects with basic data into CTIX.
Import Intel: To upload large amounts of data from various file formats such as Cyware CSV, STIX 1.x, STIX 2.0, STIX 2.1, MISP, CSV, STIX 1.x , URL, MAEC 4.1, CSV, Open IOC, Free text, and PDF.
Detailed Submission: To manually create intel with elaborate details such as including basic details, custom attributes, creating relations, adding sightings, and adding STIX attributes.
Watchlist
Using watchlists in CTIX, you can add surveillance for, or closely monitor, any keywords, IP addresses, hashes, domains, URLs, and malware, within the intel received in CTIX.
You can monitor for the keyword occurrences from watchlists or you can opt for email notifications.
Audit Log Management
To monitor changes and keep track of user activity in the system, CTIX provides you with Audit Log Management. These detailed audit logs can help administrators to monitor data and make sure that users in the system follow the organization's defined protocols.
Track the following important changes in CTIX:
User Activity Logs: Helps administrators track a particular user's activity in the system.
Subscriber Logs: Helps administrators track subscriber activity such as polling, inbox and more in the system.
Configuration Change Logs: Helps administrators track activities related to any change in any module in the system.
Bulk IOC Lookup
Analysts can perform a lookup for a set of IOCs and check if they are present in the CTIX application. They can upload a CSV, XLS, or XLXS file with IOCs and CTIX analyzes this information and shows:
The set of IOCs that are present in CTIX. You can view their details in threat data.
The set of IOCs that are not present in CTIX. You can view them in the form of a downloaded CSV file.
CTIX Hub and Spoke
CTIX offers a hub and spoke model for easy and secure sharing of threat intelligence data.
The CTIX hub acts as a parent organization or a source collection where all the information is stored and shared with spokes while protecting each member's identity.
CTIX spoke is a subsidiary entity of CTIX and offers a set of specific CTIX features based on your license. A spoke polls data from the selected CTIX collections.
The hub and spoke model enables and enhances the bi-directional exchange of threat intelligence data through real-time sharing of IOCs, TTPs, incidents, threat actor data, Courses of Action, or any STIX objects between the parent and the child organizations.
CTIX allows admins to create and manage multiple spokes for threat intel sharing based on your license and subscription plan.
Enhancements
Revamped Threat Data
The Threat Data module in CTIX has been completely revamped in this release. The user interface is greatly enhanced to encapsulate all the comprehensive details for every threat data object in CTIX.
For any threat data object, all its properties, actions, tasks, feed sources, feed enrichment sources, enrichment details, confidence score, and more are grouped in one place.
Analysts can access all the information and decide the further course of action.
Overview - Provides a complete overview of the threat data object that includes details such as enrichments, sources, published collections, feed sources, collections, actions taken, and much more.
Basic Details - Provides in-depth information on the basic details of the threat data object that includes STIX classification type of the threat data object, CTIX confidence score, analyst score, TLP, feed source details, and much more
Relations - Provides comprehensive information on the relationship details of the threat data object that include any existing relations to other threat data objects and details from the threat investigations module in CTIX.
Enrichment - Provides complete information on the enrichment status of the threat data object that includes enrichment status, enrichment tools, enrichment tool statistics, and much more.
Action Taken - Provides details on the various actions that are executed on this threat data object that include actions that are performed, the tools that performed the action, CTIX specific or third party actions.
Tasks - Provides information on the various tasks that any analysts have to perform on this threat object. It classifies the tasks in stages such as in progress, not started, and completed so that it is easy for analysts to track their tasks.
Revamped Reports
Reporting module in CTIX is now revamped to give you the ability to create customized reports using search filters, CQL, or saved searches.
Analysts can:
Use the search filters to look for threat data and include it in your report.
Use CQL to look for specifically tailored threat data and include it in your report.
Create reports from any saved searches in CTIX.
Schedule reports.
Download reports in CSV format.
Run the report on demand.
Timeline Support in Threat Investigations
The Threat Investigations module now comes with the Timeline support. The Timeline on the Threat Investigation canvas, lets you know the exact date and time for any operation or activity on the threat data or its related objects.
Analysts can combine the visualization and timeline views in Threat Investigations to:
See events unfold in the network at a glance.
Gain perspective into the threat actor activity.
Conduct your investigations better with more context.
Reveal how and why cyber threats happen, and their impact on the network.
Diamond Model Support in Threat Investigations
The Diamond Model breaks down the individual attacks and categorizes them along four main vertices: Infrastructure, Capability, Adversary, and Victim.
The Threat Investigations module in CTIX now supports the Diamond Model of Intrusion Analysis and enables analysts to visualize this information on a canvas. You can associate the threat intel to the diamond model vertices such as adversary, capability, infrastructure, or victim for an event.
You can also perform a diamond model enrichment on individual nodes and see the correlated, extensive, and complete information on their threat intel.
This allows analysts to:
Extract inter-connected knowledge in threat intel and relate them to other incidents, attacks, victims, or attack patterns.
Efficiently aggregate and analyze massive amounts of threat intel data and get a clear picture of how adversaries operate.
Recognize the adversaries’ intent and proactively mitigate cyber threats.
Deprecated Features
The following features are deprecated in the CTIX 3.0 release.
Live Activity Module is deprecated.
Threat Actors Module is consolidated inside Threat Data Module.
Create Intel Package Module is replaced with Detailed Form Submission.
Followed Data Module is deprecated.
Global Search Module is deprecated.
Contact Support Module is replaced with Zendesk Support.
API Integration with MS-ISAC is deprecated.
Intel Packages concept is deprecated.
Bulk IOC Lookup is merged with Threat Data.