[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Example Reference Implementations: CRITs
[Note: Fully documenting examples of existing capabilities, along with easy to deploy evaluation frameworks, and establishing the form/structure/delivery of this content will be one of the objectives for the Engagement SC. So this is admittedly rough...]
I want to share an example of an existing Open Community developed, integrated analysis framework that is working well today. Four related slides from a recent presentation given at the FIRST Conference in Berlin are attached.
CRITs leverages existing STIX/CybOX/TAXII Standards to move us beyond current, portal based, stove-piped, manual "Copy/Paste" CTI exchange paradigms. With CRITs, and the supporting open community developed ecosystems, we are empowering Analyst driven inter-exchange of rich CTI and analysis that maintains context and relationships within given campaigns and in the broader context of Adversary TTPs over time.
Current efforts are focused on (1) extending concepts like "releasability" to better control flow of CTI both within and outside of a given "Community of Trust",(2) better methods for mapping of CRITs concepts, vocabularies, and relationships through STIX/CybOX, and broader support for the ingestion/mapping of additional STIX/CybOX Objects not currently represented in CRITs. So this is not a panacea, there are challenges!
However, using the stable releases of active development branches of the following components:
(1) CRITs Top Level Objects (TLOs: Indicators, Samples, Emails, PCAPs, Artifacts, etc.) can be reliably inter-exchanged between CRITs instantiations directly or within "Event" Containers/Packages.
(2) The Analyst does not need (nor care) to know anything about the underlying CTI complexities. They select what they want to share, and with whom.
(1) CRITs (Stable_4 Branch): https://github.com/crits/crits
(2) CRITs Services (Community/Vendor developed analysis, transformation, CTI enrichment Plug-Ins, Web Services/APIs**): https://github.com/crits/crits_services
(3) CRITs <==> Soltra Edge (Integrates CRITs with Soltra Edge Gateway via CRITs API):
(4) Soltra Edge TAXII Gateway reference implementations (https://www.soltra.com)
Full evaluation CRITs <=> TAXII <=> CRITs instantiations can be established fairly quickly if you have exposure to VMWare/Virtualbox and Vagrant. Otherwise, a fully functional instantiation can be established from scratch in about two hours of effort. Note that implementing the full suite of CRITs Services above can require subscriptions/API Keys for external services, and an additional 2-4 hours to configure and install dependancies, frameworks, etc. Efforts are underway to build "Docker" instantiations as well. Please feel free to reach out directly if interested in discussing current options for building demo/evaluation instantiations.
Again, this is just one illustrative example.