CRITical introduction–A play on words, to be sure. Collaborative Research in Threats, or CRITs for short, is a threat intelligence platform (TIP). It’s the repository where you store threat data and those sometimes fragile connections that you make to link everything together. Don’t just take my word for it–here’s a fragment of the introduction straight from their website:
CRITs is an open source malware and threat repository that leverages other open source software to create a unified tool for analysts and security experts engaged in threat defense. It has been in development since 2010 with one goal in mind: give the security community a flexible and open platform for analyzing and collaborating on threat data.
As a researcher, analyst, engineer, or whatever your title may contain in addition to threat, having a place to house intelligence data is important. Your SIEM is not the right place and neither are excel sheets, documents, or even an indexed platform like Solr or a wiki. All of these can be helpful and appropriate assistants but shouldn’t serve as your front line threat data warehouse; they are too static. CRITs gives you some fangs to bite deeply into that threat topic.
From a standpoint of interconnectivity, it allows you to connect and relate data, whether traditional indicators like IPs, domains, and files, or concepts like defining the victims targeted, activity measurements, campaigns, incidents and more.
CRITs also comes with a large variety of services that let you connect the threat data in CRITs to other platforms (Bit9, FireEye, IBM XForce, Threatgrid, etc.) to enrich information either uni- or bidirectionally. It also has plenty of services that let you chop, slice and derive metadata and more from what you enter.
It’s a big package that comes at a big fat price of zero. Yup. It’s an open source product with an active and energetic community constantly upgrading and adding to it.
In fact, if CRITs suffers in any way, it would be that that it is so big it can be easy to get lost in what it can do, which is part of why we teach about it. As an example, did you know CRITS is pretty effective to roll up and use in incidents? How about that you can install it in a VM and employ it as an isolated TIP for that incident, and then wrap it up and archive it after you are done? Or, that it has a web API so you can talk to it via command line or remotely? Did you know that CRITS supports YARA, bro, and snort signatures and can keep them in an organized collection for you? It might not be the only show in town, but it does come at the right price with a lot of powerful capability.
Ask yourself or your analysts — where do you keep your threat data?
Looking for more than a CRITical intro? We now offer CRITS training: http://cyberdefenses.com/product/maximizing-crits/