Group-IB
Connector Category: API Feed Source
About Group-IB
CTIX integrates with Group-IB Threat Intelligence & Attribution (TI&A) to retrieve real-time threat intelligence data based on data relating to adversary tactics, tools, and activity. This integration provides you insights into who is attacking you, their tools and systems, and indicators of compromise.
Use Cases
Retrieve IP addresses and domain names associated with malicious activities, such as hosting malware, command-and-control servers, or being involved in phishing campaigns.
Understand the patterns or characteristics of known malware, which can be used by security systems to detect and block malware infections.
Retrieve details about software vulnerabilities and their associated exploits that help to prioritize patching and protect against potential attacks.
Retrieve details about hacking groups, their tactics, techniques, and procedures (TTPs), as well as indicators of compromise (IOCs) associated with their activities.
Benefits
Get real-time updates on the latest cyber threats, including information about emerging malware, phishing campaigns, and other malicious activities.
Gain early warning of potential cyber threats.
Configure Group-IB as API Feed Source
Configure Group-IB as an API feed source to receive threat data feeds.
Before you Start
You must have the View API Feed, View Feed Source, Create Feed Source, and Update Feed Source permissions in CTIX.
You must have the base URL, username, and password of your Group-IB account. The password is the API access key that you can get from the account settings page of your Group-IB account. You can get the user name and the key from the API access section.
Note
Ensure that your Group-IB account includes the permissions to threat data feeds using the Group-IB APIs. If you do not have permission to retrieve a threat data feed, then the respective feed channel is disabled automatically and displays a connection error.
Steps
To configure Group-IB as an API feed source in CTIX, do the following:
Go to Administration > Integration Management > FEED SOURCES > APIs.
Click Add API source.
Search and select the Group-IB app.
Click Add Instance.
Enter a unique name to identify the instance name. For example, Group-IB-Prod.
Enter the base URL of your Group-IB instance. The default base URL is
https://tap.group-ib.com/api/v2/
.Enter the username and password of your Group-IB account to authenticate communication between the CTIX and Group-IB servers.
Select Verify SSL to verify the SSL certificate and secure the connection between the CTIX and Group-IB servers. By default, Verify SSL is selected.
Note
Cyware recommends you select Verify SSL. If you disable this option, CTIX may configure an instance for an expired SSL certificate. This may not establish the connection properly and CTIX will not be able to notify you in case of a broken or improper connection.
Click Save.
The Group-IB instance is configured and you can view the Group-IB feed channels. You can configure multiple instances by clicking Manage > Add More.
Configure Group-IB Feed Channels
Configure the feed channels to retrieve threat data feeds from Group-IB and store the feeds in a collection.
The data received from the feed channels are stored in separate collections. The STIX objects that are fetched from the feeds received through this integration are:
Indicator
Malware
Vulnerability
Threat Actor
Attack Pattern
Observables
Steps
To configure a Group-IB channel, do the following:
Go to Administration > Integration Management > FEED SOURCES > APIs.
Search and select the Group-IB app.
Click the ellipsis on the top right corner and select Manage.
Click Manage Feed Channels.
Select a feed channel and enable the toggle.
Enter the date and time to start polling feeds. Select a date within 15 days from the current date.
Enter the name of the collection to group the feed data. For example, Group-IB Feeds. CTIX creates the collection and stores all the feeds from the feed channel.
Select from one of the following Polling Cron Schedule types to define when to poll the data:
Manual: Allows you to manually poll from the source collection.
Auto: Allows you to automatically poll for threat intel from sources at specific time intervals. The default polling cron schedule is Auto.
Enter a frequency in minutes between 60 and 10080 minutes in Polling Time. The default polling time is 240 minutes.
Set a default TLP and confidence score to assign to the feeds that do not have a TLP and confidence score already assigned. By default, the default TLP and confidence score are set to Amber and 100 respectively.
Select any tags to identify and categorize the feeds.
(Optional) Enable the Broken Connection Retry Policy to allow the CTIX application to re-attempt any failed connection attempts to your Group-IB account. The system will attempt to connect 10 times.
You can enter the retry interval in days, minutes, or weeks and also specify the retry interval and the retry count.
Enable Exponential Backoff Entry to progressively extend the wait time between retries for consecutive error responses. For example, for a 10-minute exponential retry interval, the system will re-attempt to connect in 10, 100, 1000, 10000, and so on minutes till the retry count value is met. Use this option to give your system resources some breathing time and resolve any service overload issues.
Click Save.
The feed channel is configured and you can poll feeds from the channel. You can enable the other feed channels, poll feeds, and view the feeds. For more information, see API Integrations.
Group-IB Feed Channels
CTIX provides multiple channels to poll feeds from Group-IB. The following table lists all the feed channels and the Group-IB API endpoints used for each feed channel.
Feed Channel | API Endpoint |
---|---|
Fetch DDoS Feeds |
|
Fetch Phishing Feeds |
|
Fetch Brand Abuse (BA) Phishing Kit Feeds |
|
Fetch Target Malware Feeds |
|
Fetch Phishing Kit Feeds |
|
Fetch Mules Feeds |
|
Fetch Account Feeds |
|
Fetch Card Feeds |
|
Fetch IMEI Feeds |
|
Fetch Malware C2 Feeds |
|
Fetch OSI Vulnerability Feeds |
|
Fetch Tor Node Feeds |
|
Fetch APT Threat Actor Feeds |
|
Fetch APT Threat Feeds |
|
Fetch Deface Feeds |
|
Fetch HI Threat Feeds |
|
Fetch HI Threat Actor Feeds |
|
Fetch BA Phishing Feeds |
|
Fetch Open Proxy Feeds |
|
Fetch Socks Proxy Feeds |
|