Getting Started with CTIX
The threat intel lifecycle defines a framework for security teams to continuously process and produce actionable intelligence from raw threat intel. It allows organizations to build defensive mechanisms to avert emerging risks and threats.
Security analysts use a Threat Intelligence Platform (TIP) to discover, collect, aggregate, organize, and analyze threat intelligence received from multiple sources in various formats. It analyzes the large volumes of data collected to identify threats and also integrates human intelligence gathered by cybersecurity professionals to produce actionable intel. Using the information discovered and surfaced by a TIP, cybersecurity teams can identify various emerging threats that may include known malware attack types or any plans for future attacks, and use this to do proactive risk management and remediation.
CTIX is an any-to-any TIP for the collection, processing, normalization, enrichment, analysis, and dissemination of threat intel in various formats. Using CTIX, analysts can receive and share threat intelligence in the form of human and machine-readable intel. CTIX utilizes the Standard Threat Intelligence Exchange (STIX) format and the Trusted Automated Exchange of Indicator Information (TAXII) standards. CTIX also systematically converts, stores, and organizes actionable threat data across various formats including STIX 1. x, STIX 2.0, XML, JSON, Cybox, OpenIOC, and MAEC.
The following illustration shows the overall flow of threat intel in CTIX:
Intel Collection
CTIX can integrate and ingest intel from multiple feed sources such as API feed source providers, STIX sources, RSS feeds, internal security tools, internal threat intelligence data, and external sharing partners including peer organizations, vendors, subsidiaries, TI providers, CERTs, and ISACs/ISAOs. Analysts can also manually add data to CTIX.
Intel Processing
After ingesting intel, CTIX processes and stores this information. Intel processing involves correlation, deduplication, and normalization of threat intel.
CTIX correlates and deduplicates the received intel into probable cyber threat insights by associating events, alerts, and threat indicators received from multiple data sources. It also removes duplicate information and ensures that the overall processing load is reduced. This process also ensures analysts do not spend time investigating duplicate alerts and events. CTIX converts the raw and unstructured intel into STIX format so that the data is human as well as machine-readable.
Intel Enrichment
CTIX enriches the intel by removing false-positive threat data, scoring indicators, and adding context that helps analysts with comprehensive information. Analysts can perform enrichment operations manually and automatically with the help of third-party tool integrations.
CTIX scores all the indicators by assigning them a number called CTIX Confidence Score. The CTIX confidence score is a value between 0 and 100 assigned automatically to threat indicators and represents the confidence that the scoring engine has in that indicator being malicious. A confidence score of 100 suggests that the indicator is highly malicious while a score of 0 suggests it is safe.
Intel Analysis
CTIX segregates the different formats of threat intel received into STIX objects such as indicators, vulnerabilities, TTPs, malware, campaign, threat actors, intrusion sets, attack pattern, incidents, course of action, identity, kill chain, kill chain phases, and tools.
Threat Data in CTIX gives you a comprehensive description of all the elements and attributes of the threat intel objects in CTIX.
Threat Investigations in CTIX helps you investigate security incidents with improved insights. It facilitates threat analysis to correlate contextual understanding gathered from complex threat intelligence data.
Intel Reporting
CTIX reduces analyst fatigue and helps them to focus on critical threat information by analyzing the threat intel and presenting the vital statistics in the form of various dashboards and reports. Analysts can explore critical threats in detail and draft a productive investigation process for the threats.
Intel Actioning
Analysts can take actions on the threat data in CTIX either manually or by using rules. Rules automate handling huge volumes of threat data with multiple IOCs.
A few actions that the analysts can take include:
Analysts can build automation rules to identify critical IOCs based on conditions and parameters such as source scoring, IOC scoring, confidence score values and so on.
Rules can also identify indicators from threat intel and weigh them against the defined criticality scores framed by analysts.
Analysts can also program rules to deploy automated actions using any integrated third-party SIEM or SOAR tools.
Intel Dissemination
Analysts can share and disseminate threat intel output with recipients such as subscribers, CTIX spokes, and CTIX clients. Analysts can also create threat bulletins and publish the information. Using STIX collections, analysts can share threat intel over the TAXII server and recommend actions necessary to prevent threats.
Learn all about the administrative features in CTIX to manage all the key configurations to onboard users and enable users to get started with the application.
Basic Configurations
This section highlights the necessary configurations that you must perform to get started. You can also review and configure other platform-specific settings as required. For more information, see Other Configurations.
Step 1 | Authenticate users to sign in to the application by configuring your preferred authentication method: LDAP, Username-Password, SAML, or Google Sign-In. | |
Step 2 | Configure an email server to send out communication emails from the application. | |
Step 3 | Configure a proxy server to prevent direct access to the internet or public cloud applications. | |
Step 4 | Configure user groups to define Role-Based Access Control (RBAC) of the features and add users to the application. |
Other Configurations
Configure the allowed list of indicators to ensure that the indicators marked as allowed do not turn up maliciously in the incoming threat feeds. | |
Configure the certificates in CTIX to authenticate the feed sources configured for receiving threat intel. | |
Generate OpenAPI credentials to integrate CTIX with other applications and access the features using the REST API protocol. | |
Configure the general settings of the application, such as the logo, general user account settings, Google Recaptcha, tenant settings, email settings, and more. | |
Configure threat intel feed sources in CTIX to receive threat intelligence data based on the selected time interval from various sources, such as APIs, STIX, emails, and more. | |
Configure enrichment tools and policies in CTIX to enrich the threat data by removing false positives, adding contextual information, and scoring indicators by identifying key malicious properties. | |
Configure CTIX confidence score to assign all indicators in the platform a value between 0 and 100 assigned automatically to threat indicators and represents the confidence that the scoring engine has in that indicator being malicious. |