Skip to main content

Cyware Threat Intelligence eXchange

Getting Started with Intel Exchange

The threat intel lifecycle defines a framework for security teams to continuously process and produce actionable intelligence from raw threat data. It allows organizations to build defensive mechanisms to avert emerging risks and threats.

Security analysts use a Threat Intelligence Platform (TIP) to discover, collect, aggregate, organize, and analyze threat intelligence received from multiple sources in various formats. It analyzes the large volumes of data collected to identify threats and also integrates human intelligence gathered by cybersecurity professionals to produce actionable intel. Using the information discovered and surfaced by a TIP, cybersecurity teams can identify various emerging threats that may include known malware attack types or any plans for future attacks, and use this to do proactive risk management and remediation.

Intel Exchange is an any-to-any TIP for the collection, processing, normalization, enrichment, analysis, and dissemination of threat intel in various formats. Using Intel Exchange, analysts can receive and share threat intelligence in the form of human and machine-readable intel. Intel Exchange utilizes the Structured Threat Information Expression (STIX) format and the Trusted Automated eXchange of Indicator Information (TAXII) standards. Intel Exchange also systematically converts, stores, and organizes actionable threat data across various formats including STIX 1. x, STIX 2.0, XML, JSON, Cybox, OpenIOC, and MAEC.

The following illustration shows the overall flow of threat intel in Intel Exchange:

CTIX_Workflow.png

Intel Collection

Intel Exchange can integrate and ingest intel from multiple feed sources such as API feed source providers, STIX sources, RSS feeds, internal security tools, internal threat intelligence data, and external sharing partners including peer organizations, vendors, subsidiaries, TI providers, CERTs, and ISACs/ISAOs. Analysts can also manually add data to Intel Exchange.

Intel Processing

After ingesting intel, Intel Exchange processes and stores this information. Intel processing involves correlation, deduplication, and normalization of threat intel.

Intel Exchange correlates and deduplicates the received intel into probable cyber threat insights by associating events, alerts, and threat indicators received from multiple data sources. It also removes duplicate information and ensures that the overall processing load is reduced. This process also ensures analysts do not spend time investigating duplicate alerts and events. Intel Exchange converts the raw and unstructured intel into STIX format so that the data is human as well as machine-readable.

Intel Enrichment

CTIX enriches the intel by removing false-positive threat data, scoring indicators, and adding context that helps analysts with comprehensive information. Analysts can perform enrichment operations manually and automatically with the help of third-party tool integrations.

CTIX scores all the indicators by assigning them a number called CTIX Confidence Score. The CTIX confidence score is a value between 0 and 100 assigned automatically to threat indicators and represents the confidence that the scoring engine has in that indicator being malicious. A confidence score of 100 suggests that the indicator is highly malicious while a score of 0 suggests it is safe.

Intel Analysis

CTIX segregates the different formats of threat intel received into STIX objects such as indicators, vulnerabilities, TTPs, malware, campaigns, threat actors, intrusion sets, attack patterns, incidents, course of action, identity, kill chain, kill chain phases, and tools.

Threat Data in CTIX gives you a comprehensive description of all the elements and attributes of the threat intel objects in CTIX.

Threat Investigations in CTIX helps you investigate security incidents with improved insights. It facilitates threat analysis to correlate contextual understanding gathered from complex threat intelligence data.

Intel Reporting

CTIX reduces analyst fatigue and helps them focus on critical threat information by analyzing the threat intel and presenting vital statistics in the form of various dashboards and reports. Analysts can explore critical threats in detail and draft a productive investigation process for the threats.

Intel Actioning

Analysts can take action on the threat data in CTIX either manually or by using rules. Rules automate handling huge volumes of threat data with multiple IOCs.

A few actions that the analysts can take include:

  • Analysts can build automation rules to identify critical IOCs based on conditions and parameters such as source scoring, IOC scoring, confidence score values, and more.

  • Rules can also identify indicators from threat intel and weigh them against the defined criticality scores framed by analysts.

  • Analysts can also program rules to deploy automated actions using any integrated third-party SIEM or SOAR tools.

Intel Dissemination

Analysts can share and disseminate threat intel output with recipients such as subscribers, CTIX spokes, and CTIX clients. Analysts can also create threat bulletins and publish the information. Using STIX collections, analysts can share threat intel over the TAXII server and recommend actions necessary to prevent threats.

Learn all about the administrative features in CTIX to manage all the key configurations to onboard users and enable users to get started with the application.

Basic Configurations

This section highlights the necessary configurations that you must perform to get started. You can also review and configure other platform-specific settings as required. For more information, see Other Configurations.

Step 1

Configure Authentication Methods

Authenticate users to sign in to the application by configuring your preferred authentication method: LDAP, Username-Password, SAML, or Google Sign-In.

Step 2

Configure Email Server

Configure an email server to send out communication emails from the application.

Step 3

Configure Proxy Server

Configure a proxy server to prevent direct access to the internet or public cloud applications.

Step 4

Onboard Users

Configure user groups to define Role-Based Access Control (RBAC) of the features and add users to the application.

Other Configurations

Allowed Indicators

Configure the allowed list of indicators to ensure that the indicators marked as allowed do not turn up maliciously in the incoming threat feeds.

Manage Certificates

Configure the certificates in CTIX to authenticate the feed sources configured for receiving threat intel.

Configure Open API

Generate OpenAPI credentials to integrate CTIX with other applications and access the features using the REST API protocol.

Basic System Configurations

Configure the general settings of the application, such as the logo, general user account settings, Google Recaptcha, tenant settings, email settings, and more.

Threat Intelligence Feed Sources

Configure threat intel feed sources in CTIX to receive threat intelligence data based on the selected time interval from various sources, such as APIs, STIX, emails, and more.

Enrichment Management

Configure enrichment tools and policies in CTIX to enrich the threat data by removing false positives, adding contextual information, and scoring indicators by identifying key malicious properties.

CTIX Confidence Score Engine

Configure CTIX confidence score to assign all indicators in the platform a value between 0 and 100 assigned automatically to threat indicators and represents the confidence that the scoring engine has in that indicator being malicious.