ThreatConnect® models threat intelligence primarily in one of two categories: Indicators and Groups. Each category has some unique abilities and constraints that determine its behavior within ThreatConnect.
An Indicator represents an atomic piece of information that has some intelligence value, regardless of where it exists on ThreatConnect’s Diamond Model. Indicators are guaranteed to be unique within an Owner. For example, a single Organization can have only one copy of the Indicator firstname.lastname@example.org.
Indicators currently are classified in 10 categories:
- Address: An Address Indicator represents a valid IP Address, either IPv4 or IPv6 (e.g., 192.168.0.1). For IPv6, supported representations are standard (e.g., 1762:0:0:0:0:B03:1:AF18), “exploded” standard (e.g., 1762:0000:0000:0000:0000:0B03:0001:AF18), and compressed (e.g., 1762::B03:1:AF18). Mixed notation is not supported (e.g., 1762:0:0:0:0:B03:127.32.67.15).
- Email Address: An Email Address Indicator represents a valid email address (e.g., email@example.com).
- File: A File Indicator represents a unique file hash or series of hashes. Supported hashes are MD5, SHA-1, and SHA-256.
- Host: A Host Indicator represents a valid hostname, which is also referred to as a domain (e.g., bad.com).
- URL: A URL Indicator represents a valid URL, including protocol (e.g., http://www.bad.com/index.php?id=1). URLs are accepted according to RFC 3986, with a few exceptions: Underscore (_) is an allowed character for the third label (i.e., subdomains); the host section of the authority part must be lowercase; URL encoding is not verified (% is simply an accepted character in the path, query, and fragment); and user information must be removed from the authority part. Accepted schemes are http, https, ftp, and sftp. The host section of the authority part can be a hostname or an IPv4 address.
- ASN: An ASN (Autonomous System Number) Indicator represents a number that uniquely identifies each network on the Internet (e.g., 204288).
- CIDR: A CIDR (Classless Inter-Domain Routing) Indicator represents a block of network IP addresses (e.g., 10.10.1.16/32).
- Mutex: A Mutex Indicator is a synchronization primitive that can be used to identify malware files and relate malware families (e.g., \Sessions\1\BaseNamedObjects\Globa\CLR_PerfMon_WrapMutex).
- Registry Key: A Registry Key Indicator represents a node in a hierarchical database that contains data critical for the operation of Windows and the applications and services that run on Windows (e.g., HKEY_CURRENT_USER\Software\MyApp).
- User Agent: A User Agent Indicator is a characteristic identification string that a software agent uses when operating in a network protocol [e.g., Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95, Safari/537.36].
NOTE: System Administrators may also create custom Indicators. Users who would like the definition of an Indicator other than the ones listed in this article should contact their System Administrator for more information.
To select and view Indicators, go to the top navigation bar (Figure 1) and place the cursor over BROWSE.
Next, place the cursor over the INDICATORS option to choose a specific object, or click on the INDICATORS option itself to generate a table of all available entries. Click on a specific Indicator's entry in the table, and its Details flyout will appear on the right-hand side of the screen. Then click on the Details icon to access the Overview tab of the Details screen. Alternatively, hover over the Indicator’s entry in the table and click on the Details icon that appears on the right side of its Summary cell to go straight to the Overview tab of the Details screen.
The Overview tab of an Indicator’s Details screen may have Indicator-specific enrichments as appropriate to that Indicator type. For example, the Details screen for a File allows the user to define a file’s name, and the Details screen for an Address displays IP geolocation data. See The Details Screen for further information.
An Indicator’s Details screen also includes other tabs offering different options. For example, the Details screen for a Host includes a DNS tab that displays DNS resolution history and a Whois tab providing Whois registration information (Figure 2).
Groups represent a collection of related behavior and intelligence. Groups are currently classified in 11 categories:
- Adversary: The Adversary Group represents a malicious actor or group of actors. An Adversary can be tracked by its assets (e.g., websites, email addresses, hacker handles, etc.) to allow for monitoring of activity.
- Campaign: The Campaign Group represents a collection of Incidents over time. (See the bulleted item for Incident later in this list.)
- Document: The Document Group represents an actual file of interest, such as a PDF report that contains valuable intelligence or a malware sample. Documents can have their contents indexed for future searching.
- E-mail: The E-mail Group represents an occurrence of a specific suspicious email, such as a phishing attempt.
- Event: The Event Group is an observable occurrence of notable activity in an information system or network that may indicate a security incident. For example, an Event might be created from a SIEM alert that needs to be triaged and investigated.
- Incident: The Incident Group represents a snapshot of a particular intrusion, breach, or other event of interest.
- Intrusion Set: The Intrusion Set Group is a set of adversarial behaviors and resources with common properties that is believed to be orchestrated by a single organization. An Intrusion Set may capture multiple Campaigns or other activities that are all tied together by shared attributes indicating a common known or unknown Adversary. New activity can be attributed to an Intrusion Set even if the Adversaries behind the attack are not known. Adversaries can move from supporting one Intrusion Set to supporting another, or they may support multiple Intrusion Sets.
- Report: The Report Group is a generic object that can hold a collection of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details. It can be used to group related pieces of threat intelligence together so that they can be published as a comprehensive cyberthreat story. Reports can be used to memorialize and distribute a wide variety of threat reports, such as reports on malware families, risk reports on specific infrastructure, and even writeups on physical security. PDF and HTML files uploaded to a Report are viewable directly on the Report File card on the Overview tab of that Report’s Details screen. The Report Group is designed to be a neutral object that is suitable for a variety of topics. This design is in contrast to that of other Groups such as Adversary and Incident, which have more specific definitions. It is up to the user to decide which object is best suited to their needs.
- Signature: The Signature Group represents an actual Signature that can be used for detection or prevention in a supported format (i.e., Snort®, YARA, CybOX™, OpenIOC, ClamAV®, Suricata, Bro, Regex, and Splunk® Search Processing Language (SPL)).
NOTE: System Administrators may create custom Signature types.
- Threat: The Threat Group represents a group of related activity, whether or not attribution is known. This relation can be based on technology (e.g., Shellshock) or pertain to a grouping of activity that is presumed to be by the same selection of actors (e.g., Bitterbug).
- Task: The Task Group represents an assignment given to a ThreatConnect user.
To select and view Groups, go to the top navigation bar (Figure 1) and place the cursor over BROWSE. Next, place the cursor over the GROUPS option to choose a specific object, or click on the GROUPS option itself to generate a table of all available entries. Then follow the same steps as for the INDICATORS option.
Groups can be associated to Indicators and to other Groups. Indicators can be associated to other Indicators via custom Associations, which must be set up by a System Administrator. The functionality of Associations allows users to model and discover correlations and relationships that may not have been immediately obvious.
Figure 3 displays different Groups (in square boxes) that are associated with a number of Indicators (in circles).
The notional representation in Figure 3 denotes the following:
- A Threat Group (e.g., EVILSAUCE) may be known to operate out of two IP Addresses, modeled as Address Indicators, which are associated to the Threat.
- A Signature Group has been created (e.g., EVILSAUCE.snort) that searches for one of the EVILSAUCE IP addresses, as well as a hostname it previously resolved to in DNS servers. This Signature is associated with both the EVILSAUCE Threat and the relevant indicators.
- An Adversary Group (e.g., EvilJoe55) is known to work with the EVILSAUCE Threat Group, and is associated as such. This Adversary has a known email address (firstname.lastname@example.org), which is modeled as an Email Address Indicator and associated to the EvilJoe55 Adversary. The Indicator can also be used as an asset for future Adversary tracking.
- EvilJoe55’s email address was detected as having sent a suspicious email. This factor is modeled as an Association between the Email Address Indicator and an Email Group, which represents the phishing attempt. This phishing attempt included a malware attachment, whose hash has been captured as a File Indicator and associated to the Email Group.
Future Associations yielded by analysis could include the following:
- EvilJoe55 may be moonlighting with another hacking team, which could see this Adversary associated with another Threat.
- Malware analysis on the File Indicator may indicate that it calls out to additional infrastructure, which could yield new Associations.
- The EVILSAUCE Threat could be updated to associate to any Host, past or present, as resolved by its known IP Address infrastructure.
CybOX™ is a trademark of the MITRE Corporation.
Splunk® is a registered trademark of Splunk, Inc.