Getting Started with CTIX Lite
CTIX Lite is a threat intelligence platform (TIP) built for smaller teams to manage the collection, processing, and dissemination of threat intelligence data in various formats. It receives and shares threat intelligence in a machine-readable format. It utilizes the Standard Threat Intelligence Exchange (STIX) format and the Trusted Automated Exchange of Indicator Information (TAXII) mechanism to achieve threat data enrichment and threat intelligence exchange. In addition to that, it systematically converts, stores, and organizes actionable threat data into various formats including STIX 1.x, STIX 2.0, STIX 2.1, XML, and JSON.
CTIX Lite comes as a ready-to-use application and can be accessed directly from the cloud, resulting in reduced deployment challenges. As an added advantage, CTIX Lite allows users to operate at an optimized cost.
CTIX Lite forms the backbone of an organization's threat intelligence with its ability to perform the following key functions:
Aggregation of intelligence from multiple sources
Curation, normalization, enrichment of data
Integrations with existing security systems
Analysis and sharing of threat intelligence
CTIX Lite VS CTIX Enterprise
CTIX Lite: CTIX Lite is an entry-level TIP specifically designed for enterprises that want to perform essential threat intelligence operations such as automated ingestion, enrichment, analysis, and action at an affordable cost. The low cost enables enterprises to start utilizing threat intelligence without compromising their security needs.
CTIX Lite makes the organization and segregation of threat intelligence easy by leveraging collections.
CTIX Enterprise: CTIX Enterprise is the fully primed version of CTIX, developed for organizations and ISACs to collect, ingest, and share threat intel using orchestration and automation features while performing advanced analysis, correlation, enrichment, and anonymization of threat data. To promote a culture of threat intelligence sharing and contribute towards the overall development of the security ecosystem.
For more information about the differences and features offered by CTIX Lite and CTIX Enterprise applications, refer to CTIX Product Editions.
CTIX Lite Supported Features
CTIX Lite offers the following features:
Authenticate using a username and password, and two-factor authentication using email and a time-based one-time password (TOTP).
Share and export using the Analyst dashboard and ATT&CK Navigator dashboard.
Custom reporting capabilities.
Ingest up to 50,000 objects in a day using Threat Data ( all SDOs in STIX format), Threat Bulletin, RSS feeds, Threat Mailbox, Quick Add and Import Intel, Web Scraper, SIEM tools, SOAR tools, manual ingestion, and more.
Inbox threat intel with up to three STIX feed providers.
Add IOCs to the allowed indicator list.
Assign scores to all indicators using the CTIX Confidence Score Engine.
Create and manage up to 10 active rules.
Analyze and track attack patterns using ATT&CK Navigator.
Add and track various keywords using Watchlist and Tags.
Enrich feeds using tools, such as Recorded Future, RiskIQ, and more.
Set Up CTIX Lite
Use the following steps to set up the CTIX Lite application:
Sign in to CTIX Lite.
Set up an email server to send out communication in the form of emails from the application. For more information, refer to Configure Email Server.
Add users that can access the application and define their user groups. For more information, refer to Onboard Users.
Add IOCs to the allowed indicator list to filter the non-malicious data coming into the application. For more information, refer to Configure Access Restrictions.
Add and manage certificates to authenticate the feed sources configured for receiving threat intel. For more information, refer to Manage Certificates.
CTIX Lite Threat Intel Lifecycle
CTIX Lite is an end-user TIP that follows a threat intel lifecycle. This lifecycle defines a framework for security teams to process and produce actionable intelligence from raw threat intel continuously. It allows organizations to build defensive mechanisms to avert emerging risks and threats.
The threat intel lifecycle consists of the following phases:
Intel Ingestion
CTIX Lite integrates and ingests intel from multiple feed sources such as API feed source providers, STIX sources, RSS feeds, Twitter, internal security tools, and more. Analysts can also manually add data to CTIX.
To ingest data in CTIX Lite, you can:
Configure the threat intelligence feeds to receive threat intel. For more information, refer to Threat Intelligence Feed Sources.
Configure third-party tools to integrate with CTIX Lite to receive threat intel. For more information, see CTIX Tool Integrations.
Intel Processing and Enrichment
After ingesting intel, CTIX Lite processes, and stores this information. Intel processing involves correlation, deduplication, and normalization of threat intel. It correlates and deduplicates the received intel into probable cyber threat insights by associating events, alerts, and threat indicators received from multiple data sources. This process ensures analysts do not spend time investigating duplicate alerts and events. CTIX normalizes the raw and unstructured intel into STIX format so that the data is human as well as machine-readable.
CTIX Lite enriches the intel by removing false-positive threat data, scoring indicators, and adding context that helps analysts with comprehensive information. Analysts can perform enrichment operations manually and automatically with the help of third-party tool integrations. CTIX scores all the indicators by assigning them a number called CTIX Confidence Score.
To process and enrich data in CTIX Lite, you can:
Configure enrichment tools to investigate threat data and enable analysts to assimilate comprehensive information on the relevant threat intel. For more information, refer to Enrichment Tools.
Configure enrichment policy to provide invaluable data to enrich threat indicators with hashes, IPs, domains, vulnerabilities, and URLs. For more information, refer to Enrichment Policy.
Configure the CTIX confidence score engine to assign a score to the IOCs. For more information, refer to CTIX Confidence Score Engine.
Intel Analysis and Actioning
CTIX Lite segregates the different formats of threat intel received into STIX objects such as indicators, vulnerabilities, TTPs, malware, campaign, threat actors, intrusion sets, attack patterns, incidents, course of action, identity, kill chain, kill chain phases, and tools. It reduces analyst fatigue and helps them to focus on critical threat information by analyzing the threat intel and presenting the vital statistics in the form of various dashboards and reports. Analysts can explore critical threats in detail and draft a productive investigation process for the threats.
Analysts can take action on the threat data either manually or by using rules. Rules automate handling huge volumes of threat data with multiple IOCs.
To analyze and perform actions on data in CTIX Lite, you can:
View data feed received from sources to analyze details such as source confidence, the system created and modified dates and more. For more information, see Threat Data.
View ATT&CK metrics to analyze, track, and create footprints and map them to specific tactics and techniques. For more information, see ATTACK Navigator.
Automate actions to perform on the data feeds based on factors, such as enrichment verdict, part of allowed indicators, false-positive, and more. For more information, see Automation Rules.
Intel Dissemination
Analysts can share information by inboxing it to existing collections using Rules. For more information, see Publish to Collection Using Rules.