Example Reference Implementations: CRITs

[Note: Fully documenting examples of existing capabilities, along with easy to deploy evaluation frameworks, and establishing the form/structure/delivery of this content will be one of the objectives for the Engagement SC. So this is admittedly rough...]

CRITs

I want to share an example of an existing Open Community developed, integrated analysis framework that is working well today. Four related slides from a recent presentation given at the FIRST Conference in Berlin are attached.

CRITs leverages existing STIX/CybOX/TAXII Standards to move us beyond current, portal based, stove-piped, manual "Copy/Paste" CTI exchange paradigms. With CRITs, and the supporting open community developed ecosystems, we are empowering Analyst driven inter-exchange of rich CTI and analysis that maintains context and relationships within given campaigns and in the broader context of Adversary TTPs over time.

Current efforts are focused on (1) extending concepts like "releasability" to better control flow of CTI both within and outside of a given "Community of Trust",(2) better methods for mapping of CRITs concepts, vocabularies, and relationships through STIX/CybOX, and broader support for the ingestion/mapping of additional STIX/CybOX Objects not currently represented in CRITs. So this is not a panacea, there are challenges!

However, using the stable releases of active development branches of the following components:

(1) CRITs Top Level Objects (TLOs: Indicators, Samples, Emails, PCAPs, Artifacts, etc.) can be reliably inter-exchanged between CRITs instantiations directly or within "Event" Containers/Packages.

(2) The Analyst does not need (nor care) to know anything about the underlying CTI complexities. They select what they want to share, and with whom.

Components:

(1) CRITs (Stable_4 Branch): https://github.com/crits/crits

(2) CRITs Services (Community/Vendor developed analysis, transformation, CTI enrichment Plug-Ins, Web Services/APIs**): https://github.com/crits/crits_services

OPSWAT_Service

anb_service

carver_service

chminfo_service

chopshop_service

clamd_service

crits_scripts

cuckoo_service

data_miner_service

diffie_service

entropycalc_service

farsight_service

machoinfo_service

meta_checker

metacap_service

office_meta_service

opendns_service**

passivetotal_service**

pdfinfo_service

peinfo_service

pyew

pyinstaller_service

relationships_service

shodan_service

snugglefish_service

ssdeep_service

stix_validator_service

taxii_service

threatgrid_service**

threatrecon_service**

timeline_service

totalhash_service

unswf_service

upx_service

virustotal_service**

whois_service**

yara_service

zip_meta_service

(3) CRITs <==> Soltra Edge (Integrates CRITs with Soltra Edge Gateway via CRITs API):

(https://github.com/security-automation/crits-adapter)

(4) Soltra Edge TAXII Gateway reference implementations (https://www.soltra.com)

Full evaluation CRITs <=> TAXII <=> CRITs instantiations can be established fairly quickly if you have exposure to VMWare/Virtualbox and Vagrant. Otherwise, a fully functional instantiation can be established from scratch in about two hours of effort. Note that implementing the full suite of CRITs Services above can require subscriptions/API Keys for external services, and an additional 2-4 hours to configure and install dependancies, frameworks, etc. Efforts are underway to build "Docker" instantiations as well. Please feel free to reach out directly if interested in discussing current options for building demo/evaluation instantiations.

Again, this is just one illustrative example.

cti message