Skip to main content

General Documents

Cyber Threat Hunting | Cyware Use Cases

Abstract

Download PDF

Cyber threat hunting is a proactive method to identify unknown threats within an organization's network. Learn how the Cyware platform aids in threat hunting.

Problem Statement

Threat hunting is a proactive method to identify unknown threats within an organization's network. Security analysts leverage threat intelligence data ingested from various sources, correlate them together for analysis, make the intel relevant, and forward the findings so that the threat can be blocked proactively in their network. In reality, it is challenging to analyze the large number of intel feeds that are received from internal and external sources.

Additionally, when evaluating the ever-widening threats and the time consumed by human analysts on threat hunting tasks, the need for automated continuous analysis of threat data becomes the need of the hour. This can effectively serve analysts in the automatic detection of malicious IOCs resulting in proactive threat hunting.

It is also expensive for organizations to hire adequate threat intel analysts to manually analyze, decide, and take relevant actions on the huge volume of data.

Solution

Cyware Products Used: Cyware Threat Intelligence eXchange (CTIX) and Orchestrate

Cyware Threat Intelligence eXchange (CTIX) and Orchestrate applications work together to help your analyst perform continuous analysis of threat data and take necessary action to defend against malicious indicators. In this section, we will describe how to automate the threat intel hunting workflow for analysts. Although this whole workflow is automated, analysts can manually intervene when required and make accurate and confident decisions.

Threat_Hunting_Use_Case.svg

This use case workflow includes the following sections:

Before you Start
  1. Network connectivity must exist between CTIX and Orchestrate.

  2. Cyware Threat Intelligence eXchange (CTIX) must be installed.

    • Make sure you have permission to configure Rules.

    • Make sure you have the CTIX Confidence Scoring engine configured to automatically provide a confidence score for indicators. See CTIX Confidence Score.

  3. Orchestrate must be installed.

    • Make sure you have permission to create and manage Events, Labels, and Playbooks.

  4. Integrate Orchestrate with CTIX using Open API. See Verify the status of Orchestrate integration in CTIX to check the status of the integration. If the status is inactive, you must configure the integration. See Configure Orchestrate Integration in CTIX to configure the integration.

  5. Integrate a preferred SIEM tool with Orchestrate using the Appstore.

Verify the status of Orchestrate integration in CTIX

Verify if Orchestrate integration is enabled in your CTIX application. If Orchestrate integration is enabled, you can skip this section.

To check the status of Orchestrate integration in your CTIX application, follow the below steps.

  1. Sign in to CTIX as an Administrator.

  2. From Administration, click Integration Management.

  3. From the Tool Integrations section select Cyware Products to see the Orchestrate integration. The Orchestrate integration must be in enabled status.

  4. Use the following steps to enable the integration, if the status is disabled.

Configure the Workflow in CTIX

Use the following steps to configure the CTIX Rules engine to automatically filter malicious indicators based on CTIX confidence score.

Step 1: Create a new Threat Hunting and Actioning Rule in CTIX

  1. From the Menu, select Actions and choose Rules.

  2. Click New Rule to add basic details to your Rule.

  3. Enter the Rule Name as Threat Hunting and Actioning and add a relevant description. You can also configure optional preferences such as Tags, Rule Priority, Retry Interval, and Rule fails alerts.

  4. Click Submit. The Rule builder opens.

Step 2: Configure threat intel sources for Rule

  1. Choose the Sources for the Rule. You can choose the source type and required sources to process the threat intel. You can also choose to process threat intel from all available sources. To enable this, just select the Allow all Sources check box from the Basic details section.

  2. Choose the Collections that you want to process threat intel. Collections help you to logically group threat intel received from sources. You can also choose to subscribe to all collections using the All Collections check box.

  3. Your source configuration is complete. Click on the +Condition to configure conditions for the rule.

    Threat_Hunting_Rule_Action.png

Step 3: Configure conditions to filter intel feeds based on the confidence score

  1. Select the Intent Type as Indicator.

  2. Select the Rule Type as IP.

  3. Set the Selector as ALL. Now use the Select Operator drop-down and select AND to add another condition.

  4. Select the Rule Type as CONFIDENCE SCORE.

  5. Select the Selector value as GREATER THAN EQUAL.

  6. Enter the Value as 80.

  7. Your condition configuration is complete. Click Save.

Before continuing with the action configuration for this rule you need to configure the orchestration workflow and event trigger in Orchestrate. The following section helps you to configure the orchestration workflow.

Configure the workflow in Orchestrate

Use the following steps to configure automatic actioning of IOCs on Orchestrate.

Step 4: Create a new Threat Hunting and Actioning label in Orchestrate

  1. Sign in to the Orchestrate application.

  2. From the Menu, select Labels.

  3. Click the Add Label.

  4. Enter the label name as Threat Hunting and Actioning and a description.

  5. Make sure the label status toggle is enabled and the label is Active.

  6. Click Create.

Step 5: Configure a new Event Trigger CTIX Threat Hunting in Orchestrate

  1. From the Menu, select Configure Triggers.

  2. Click the Add New Trigger.

  3. Enter the Event Source App as CTIX integration.

  4. Enter the Source Event Type as Threat Hunting IOCs.

  5. Select the label as Threat Hunting and Actioning that you have created in Step 1.

  6. Click Create.

Step 6: Create a Threat Actioning Playbook

  1. Navigate to Manage Playbooks -> Cyware Playbooks.

  2. Search for CTIX to QRadar Retrospective Threat Hunting and open the playbook.

  3. Click on the ellipses on the top-right corner of the playbook and select Clone.

  4. Open the newly cloned playbook and make the required changes.

  5. Open the playbook and rename the playbook as CTIX to QRadar Threat Hunting and Actioning.

  6. Click on Edit and click Playbook Overview expand and collapse window to edit the playbook overview. On the Playbook Data section, select the Select Label(s) dropdown and choose the Threat Hunting and Actioning label that you created in the previous step.

  7. Click Save to save the playbook.

  8. By default, the cloned playbook performs the following tasks.

    1. Retrieves indicators automatically from CTIX based on the defined time interval. This is performed by calculating Epoch Timestamps for the current day, yesterday (one day before), and month (one month before).

    2. An action retrieves indicators identified by CTIX Rule.

    3. The playbook will further collate and check if the indicators are present in the QRadar SIEM tool.

    4. If the indicator is identified in the SIEM tool, then the playbook will automatically create an incident in Cyware Fusion and Threat Response (CFTR) for investigation and closure. You can also configure a required ITSM tool to track the ticket to closure.

  9. After making changes to the cloned playbook, save the playbook. At this point, your playbook is successfully configured and mapped with a trigger event. The Orchestrate application triggers the playbook automatically from the CTIX rule.

Tip: The CTIX to QRadar Retrospective Threat Hunting playbook is an example of a threat hunting and actioning playbook from the Orchestrate system library. The system library contains other playbooks such as CTIX to Splunk Retrospective Threat Hunting that are built to solve the same use case using the Splunk SIEM tool. You can clone a required playbook and use it for your workflow.

Connect the playbook event trigger in CTIX

Step 7: Configure an action to automatically send critical indicators to Orchestrate

  1. Sign in to the CTIX application and continue to edit the Threat Hunting and Actioning rule.

  2. Select Action as Trigger Playbook.

  3. Select the Application as CO.

  4. Select the Account as required. Account suggestions will appear based on the instances available on your Orchestrate application. For example, if https://client1.cyware.com/ctix/ is your CTIX application URL, then client1 can be your account.

  5. Select the Event as the event name available in Orchestrate. In this case, select the event as CTIX Threat Hunting. Note that the Event has to be created in Orchestrate before mapping your rule to the event.

  6. Select Threat Data Objects as Indicators and click Save to save the Rule.

  7. Threat_Hunting_Rule_End.png

Result: Now your Threat Hunting and Actioning rule is successfully configured to automatically send relevant indicators to Orchestrate for hunting and actioning. After the indicator is actioned, the playbook will update the actioned indicator threat data with the OBSERVED IN HUNTING: SIEM tag in the CTIX application.

Conclusion
  • After configuring this workflow, CTIX automatically sends relevant indicators to the required playbook in Orchestrate.

  • The threat hunting playbook automatically executes actions on the IOCs.

  • The playbook will update the actioned indicator threat data with the OBSERVED IN HUNTING: SIEM tag in the CTIX application.

References

Create Playbooks

CTIX Confidence Score

STIX Objects Reference URL