Automate Intel Enrichment, Correlation, Analysis, and Actioning using CTIX Rules
Category: Cyware Product
Cyware Products Used:
Cyware Threat Intelligence Exchange (CTIX): A smart, client-server threat intelligence platform (TIP) for ingestion, enrichment, analysis, and bi-directional sharing of threat data within your trusted network.
Problem Statement
Threat intelligence teams have a common goal to improve threat detection, investigation, and actioning and thereby improve the overall security posture of the organization. While running threat intel operations, many activities such as enrichment of threat intel, correlation of threat data to identify duplicates, and automated actioning on confirmed threats require security analysts to repeat a task multiple times. Sometimes, achieving these goals at the right time can get difficult, especially when it comes to tasks that are handled manually by security analysts. That is where CTIX automation rules come to the rescue.
Solution
The solution is to use CTIX rules to fully automate the enrichment, correlation, analysis, dissemination/sharing, and actioning stages of the threat intelligence lifecycle. Rules allow security analysts to automate mundane tasks, reduce false positives, and cut down overall triage time for threats and incidents by mobilizing timely, relevant, and context-driven threat intelligence.
This use case document describes the different use cases to use CTIX rules from the Cyware Threat Intelligence Exchange (CTIX) platform.
How to create rules in CTIX?
To learn more about how to create and manage CTIX rules, see Automation Rules.
Use Cases of CTIX Rules
Filter Irrelevant IOCs
Threat intel teams are flooded with Indicators of Compromise (IOC) on a daily basis. Their main focus is to block the malicious IOCs coming their way. The process of indicator blocking is crucial. This method of manually blocking the IP, Hash, Domain, URL, and Email is inadequate to combat complex and repetitive attacks.
The automation rules offered by CTIX streamline the entire process of filtering out irrelevant IOCs. This ensures that analysts don’t waste time by manually performing the filtering activity but are instead able to benefit from the automation-powered rules that help in the automatic filtering of IOCs. Analysts can also configure rules to perform multi-level validation on the IOCs ingested into CTIX to ensure that only the irrelevant IOCs are filtered out. Analysts can also filter out threat intel by a particular IOC type such as Hash, URL, IP, Domain, Email, and more. This simplifies and automates the filtering process performed by an analyst.
The below screenshot shows a rule that automatically filters high-confidence indicators received from external sources and sends them to SIEM solution for further action.
Automated Actioning
After filtering irrelevant IOCs, threat intel teams can configure rules to automatically take action on the IOCs. Additionally, integrating CTIX with Orchestrate allows security teams to automate tasks across security products and tools such as SIEM, IDS, IPS, Firewall, Vulnerability Database, and more.
The following actions can be performed by CTIX rules:
Use Save Result Set V3 as Rule Action
Use Create CSAP Alert as Action Rule
Use Update Indicators Allowed as Rule Action
Use Deprecate as Rule Action
Use Send E-mail as Rule Action
Use Manual Review as Rule Action
Use Update False Positive as Rule Action
Use Update Tag as Rule Action
Use Trigger Playbook (V3) as Rule Action
Use Send Inbox as Action Rule
Use Publish to Collection as Rule Action
Use Save Result Set as Rule Action
Use Trigger Playbook as Rule Action
Utilize Actionable Threat Intelligence
Internal security systems such as SIEM, IPS, IDS, and Firewalls rely on the actionable threat intelligence that is available in CTIX. For example, actionable intelligence can be used to detect an IOC that is malicious and directly associated with the internal network. CTIX rules can block the IOC on the respective tool using Orchestrate playbooks. This helps analysts to combat attacks faster and helps in efficient decision-making.
The below screenshot shows a rule manually triggered from threat data to perform a retrospective search on different internal tools.
Benefits
Automated Threat Actioning
CTIX enables security teams to automate actions based on confidence scores. Security teams can build rules to automate proactive threat mitigation tasks such as blocking IP in firewalls/SIEM tools based on confidence scores.
Automate Manual Tasks
Threat intel teams can use rules to automatically take actions on malicious IOCs. When a high confidence indicator is identified, rules help analysts to automate a fixed set of actions they need to take on the identified indicator. This helps analysts to quickly automate and streamline time-consuming tasks and reduce manual errors, thereby saving incident responders’ time and improving their efficiency.
Reduced Complexity
Rules are easier to understand so they effectively bridge the gap between security and IT teams in setting up automation workflows. Furthermore, rules can handle increasing complexity as they can easily trigger Orchestrate playbooks to trigger security orchestration and automation response (SOAR) workflows.