Skip to main content

General Documents

Collaborative Threat Defender Library | Cyware Use Cases

Abstract

Download PDF

The Cyware Collaborate platform enables users to create and share defender content, detailing successful strategies against cyber attacks in a threat library.

Category: Cyware Product

Cyware Products Used:

  • Cyware Threat Intelligence eXchange (CTIX)

Problem Statement

Organizations face an increasing threat landscape, encompassing various cyber security attacks such as malware, phishing, DOS, and Zero-day exploits. While navigating these challenges, security analysts and threat intelligence communities need to collaborate effectively to develop defensive strategies and effectively detect attacks at an early stage. However, the lack of a structured mechanism to create, share, and collaborate on these defense strategies hinders the broader community's ability to benefit from valuable insights.

Solution

To address this challenge, Collaborate (CSAP) introduces a robust solution that leverages its core capability in content creation and collaboration. The platform enables users to create and share defender content, detailing successful strategies against cyber attacks. This content, stored in formats like SIEM, YARA, CAR, MITRE ATT&CK data, and Orchestrate Playbooks within the Threat Defender Library (TDL), undergoes a collaborative refinement process. Peers collaborate to generalize the content, ensuring its applicability to a wider audience.

The solution also includes an approval process involving both peer members and administrators, enhancing the reliability of the defender content. Once approved, this content becomes a valuable resource for creating alerts, empowering the community with a shared knowledge base to strengthen their collective cybersecurity defense mechanism.

How do we solve this problem?

Collaborate (CSAP) uses the Threat Defender Library (TDL) to enable effective collaboration for analysts on threat detection rules.

TDL_Flowcharts__1_.png

The following is an example of a SIEM detection rule and how TDL helps you, as an analyst, respond to threats faster using this rule:

  1. Create a SIEM detection rule and share it with your team for feedback. The following SIEM rule sends an alert email to a user when it identifies a Transmission Control Protocol (TCP) connection with a payload with a specific sequence of bytes (in this case, the string “5a 4f 4f 4d 00 00”).

    rule "Possible Zeus Botnet C&C Traffic"
when    
    exists event     
    and event.flowEstablished = true    
    and contains(event.payload, "5a 4f 4f 4d 00 00")
then    
// Send an email notification    
execute program "/opt/smtp-server/sendmail.sh" // Replace with the actual path to the sendmail script        
with arguments "-t", "-s", "Alert: Possible Zeus Botnet C&C Traffic", "-i", "john.doe@example.com"
end

    To create TDL content, see Create TDL Content.

  2. Publish the Snort rule to the TDL repository. The published content will be part of the TDL repository. You can also add metadata such as title, description, and content category to classify the file.

  3. You can share the TDL content with members to help them in the detection of the Zeus Botnet. To share TDL content, see Share TDL Content.

  4. To notify your members about the Zeus botnet malware, you can attach the SIEM rule to an alert and share it with the intended recipients. To attach TDL content to Collaborate alerts, see Attach TDL Content.

Benefits

Enhanced Threat Detection Accuracy

Collaborative threat detection rules provided by TDL leverage verified content and shared detection files (such as Yara, Snort, and Suricata). This ensures a higher level of accuracy in threat detection, as security teams can benefit from the collective expertise of the cybersecurity community. The shared intelligence helps in detecting and responding to threats more effectively.

Streamlined Content Creation

With TDL, security teams can easily create content without additional expertise. The platform offers a versatile code editor and supports the upload of various file types for validation. This streamlined content creation process accelerates the deployment of effective detection rules, promoting efficiency in incident response.

Cross-Platform Collaboration and Agility

TDL facilitates the creation and distribution of verified SIEM rules across this community, promoting agility in responding to evolving threats. The ability to issue Collaborate alerts ensures quick action within SIEM or Endpoint Detection and Response (XDR) tools. This collaborative approach enhances the overall responsiveness of the cybersecurity community to emerging threats.

Enhanced Threat Detection and Visibility

Security teams can now visualize a centralized mapping of threats and detection content against the tactics used by threat actors. TDL supports the sharing of MITRE’s ATT&CK framework tactics, techniques, and sub-techniques, enabling security teams to identify and track threat actor trajectories.