In a previous post (located here) we chatted about CRITs and using targets. While this was in relation to phishing, it doesn’t need to be. The Targets collection is really flexible, although I’ll freely admit you’ll need to massage it slightly. The original direction in CRITs development was to view a target an an individual or identity, one definitely linked to email, which is why that stands as a requirement to submit a target. That can be expanded easily, however.
How about a server? Or, a laptop or phone that’s checked out when people travel? The Target in CRITs exposes a variety of useful fields as this image shows.
Let’s repurpose a few to perform other tasks. Take the server idea from above. I’ve never met a server that didn’t have a name, no matter how esoteric it looked. We could use organizational ID to show that, but it’s better to use either first name or last name instead. That reserves organizational ID for covering when the server hardware/software doesn’t belong to you, but does to another organization. Notes can serve that purpose as well, but I’ve found it doesn’t have the same searchability as first and last name. Notes is where a brief description of the item can be placed, so you can identify it as the mail server or server that hosts record data, etc. Defining a laptop in your traveler program could follow the same example.
Relationships are where this begins to shine. Take the traveler laptop, for example–now, you can link the people who previously had the laptop and potentially extend that further to adversary targeting, phishing and dozens of other intelligence pivots that can lead to interesting and functional things.
Ready to take the leap into learning with CRITS? Monty St. John offers in depth classes on CRITS, YARA and more with the CyberDefenses Academy: http://cyberdefenses.com/academy/