Release Notes 3.3.2
We are excited to introduce you to the latest version of Cyware Threat Intelligence Exchange - v3.3.2. This release comes with new features, a few enhancements, and minor bug fixes.
New Features
Perform Malware Analysis with Sandbox
Analysts can utilize Sandbox to perform an in-depth analysis of evasive and unknown threats. Sandbox provides a testing environment to execute potentially malicious files or URL requests in an isolated area away from an organization's network. Files are executed and tested without any threat to your organization's network.
CTIX integrates with Joe Security Sandbox to perform malware analysis. With this capability, CTIX now provides a complete ecosystem for analysts to analyze unknown threats, add context to threat intel, and deliver actionable IOCs.
Using the sandbox in CTIX, analysts can:
Perform malware analysis by uploading files or URLs and evaluate potentially malicious software for threats. They can view, analyze, and download the analysis reports.
View and analyze the verdict delivered for the malware analysis. The verdict includes Malicious, Non-Malicious, Suspicious, or Not Applicable.
Extract IOCs identified in the malware analysis report and create intel.
View, analyze, enrich, and score this intel using threat data and enrichment policies.
Bi-directional navigation between the threat data and sandbox records for better accessibility.
View both management and full reports in the respective sandboxing tool.
Sandbox compliments your organization's security strategy and helps:
Evaluate and analyze zero-day threats.
Security teams to better understand sophisticated malware attacks.
Strengthen your organization's defense against new and emerging threats.
For more information, see Malware Analysis using Sandbox.
Threat Defender Library
Threat Defender Library provides a central repository that contains information and files used in threat detection, hunting, and threat defense. The unique content in this repository adds value to the existing threat-hunting and detection workflows by allowing analysts to quickly respond to organization-specific threats.
Using the Threat Defender Library in CTIX, analysts can do the following:
Upload and create threat defender content, such as YARA rules.
Detect potential malicious patterns encrypted in a file by evaluating it with threat defender content present in the application.
Benefits
Reduce time spent by analysts researching the threats and provides ways to defend against threats.
Reuse on-the-ground proven defender content generated in different parts of the world or industry and respond to similar threats.
Improve threat-hunting capabilities and significantly reduce the time taken to detect and respond to a potential security incident.
For more information, see Threat Defender Library.
Integrations
CTIX continues to expand and update feed and enrichment integrations to access relevant and timely threat intel and allow threat intel teams to initiate timely response actions.
Integrate CTIX app in Slack: The integration between CTIX and Slack allows analysts to send threat intel from Slack to CTIX. Slack channel administrators can configure the CTIX app in a slack channel for all the members of the channel to initiate sending IOCs from Slack to the CTIX platform. For more information, see Integrate CTIX with Slack
VirusTotal V3 Enrichment Tool: CTIX now integrates with the VirusTotal V3 version to analyze and add context to external threat intel data. Analysts can utilize this data to detect malicious content coming into the application and initiate necessary response actions to control a possible breach. For more information, see VirusTotal.
CrowdStrike API Feed Source: The integration between CTIX and CrowdStrike now allows analysts to configure one feed channel to fetch IP, URL, domain, and email feeds. Analysts can filter the feeds coming into this feed channel based on the selected confidence. For more information, see CrowdStrike.
Enhancements
Dashboard Widgets
Analysts can visualize and monitor the flow of threat data in an actionable and meaningful manner using the following new information widgets:
Top Attack Patterns grouped by Incidents: Show details of the attack patterns that have maximum incidents associated with them.
Top Attack Patterns grouped by Indicators: Show details of the attack patterns that have maximum indicators associated with them.
Top Campaigns grouped by Indicators: Show details of the campaigns that have maximum indicators associated with them.
Top Malware Families grouped by Indicators: Show details of the malware families that have maximum indicators associated with them.
Top Threat Actors grouped by Indicators: Show details of the threat actors that have maximum indicators associated with them.
Top Log Sources with Blocked Alerts grouped by Incidents: Show details of log sources that blocked the maximum number of incidents.
Top Log Sources grouped by Incidents: Show details of the log sources that have maximum incidents associated with them, such as Windows Logs, Docker Logs, and more.
Command and Control: Top IPs grouped by Incidents: Show IPs that exhibit command and control attack patterns and have maximum incidents associated with them.
Command and Control: Top URLs grouped by Incidents: Show URLs that exhibit command and control attack patterns and have the maximum number of incidents associated with them.
Latest Vulnerabilities: Show details of the latest observed vulnerabilities in the system.
CQL Capabilities
The following new capabilities are introduced in Threat Data > CQL filters:
New parameters:
Custom Attribute: Search for threat data objects that have custom attributes
Custom Attribute Value: Search for threat data objects that have the specified custom attribute values.
Use these parameters together to search for threat data objects that have specific custom attributes. For example, 'Custom Attribute' IN ("alert_disposition", "city") AND 'Custom Attribute Value' CONTAINS "Block"), to fetch threat data objects that have alert_disposition or city as the custom attributes with custom attribute value as block.
New operators:
BEGINS WITH: Search for threat data objects that start with a certain keyword or phrase.
ENDS WITH: Search for threat data objects that end with a certain keyword or phrase.
For example, 'Object Type' = "Indicator" AND 'Value' BEGINS WITH "121" OR 'Value' ENDS WITH "34" to fetch indicators that either start with 121 or end with 34.
Analysts can now copy a valid CQL query from any text editor outside of the application and paste in Threat Data > CQL option to obtain relevant results.
For more information, see Cyware Query Language (CQL).
Threat Data Capabilities
Analysts can filter and query the threat data objects using the CVSS score. The CVSS score represents a scoring standard for vulnerabilities ranging between 1 - 10 and can have up to two decimal digits.
The threat data export limit is now increased from 10,000 records to 100,000 records.
For more information, see Threat Data.
Other Enhancements
The following other enhancements are introduced in the CTIX application:
CTIX can now ingest CIDR as a string in the form of IPv4 and IPv6 addresses while ingesting data using Quick Add.
The export limit for scheduling and generating reports is now increased from 10,000 records to 100,000 records.
In Threat Data, the Overall Relations widget under Relations, fetches the details every 30 minutes to obtain frequent updates. Relations show data from the last two months based on the system-created date.
In Main Menu > Rules, while defining a condition for a rule, the CUSTOM SCORE rule type is now renamed to ANALYST SCORE.
CTIX Webhook now supports data ingesting from Humio.
In Main Menu > Collections > Threat Data, analysts can view a maximum of 50 tags on the listing page. However, you can view all the attached tags to an object on its details page.
In Main Menu > Dissemination > Detailed Submission, analysts can add multiple tags at once and bulk assign a TLP value to objects defined for a selected STIX object.
Open APIs
We have introduced Open APIs for the new features included in this release such as Sandbox, Threat Defender Library, and Slack Integration with CTIX. For more information, see CTIX API Reference..
Upgrade Notes
Upgrade your Cyware Threat Intel Crawler browser extension to version 1.0.0 from the Chrome web store for improved functionality with CTIX v3.3.2. This upgrade for Cyware Threat Intel Crawler aligns with Chrome's latest Manifest V3 upgrade and ensures better security, privacy, and performance. For more information about Manifest V3, see Manifest V3 Documentation.
After you upgrade the Cyware Threat Intel Crawler to version 1.0.0, you cannot switch back to any lower version. The Cyware Threat Intel Crawler 1.0.0 Chrome version will not work with earlier versions of the CTIX.