CRITs – The Fulcrum for the Lever of Intel

Screenshot_2019-10-08 CRITs Collaborative Research Into Threats

As a services company, it’s probably no surprise that we help people.  When companies need a hand or need to add in a capability that they previously didn’t have, we get a chance to get involved in some exciting situations.  Sometimes exciting bad, like when an incident occurs, but just as often exciting good, when we bring something powerful online for that person.  One of those “exciting things” we do as a service is help stand up threat teams.  We also assist with streamlining and making the use and flow of intelligence more efficient in companies as well.  When either situation occurs, we tend to provide product suggestions.  While we are careful to accommodate existing architecture, investment and other factors, Collaborative Research into Threats (CRITs) is a favorite suggestion for a threat intelligence platform (TIP).

  • With a free price tag, it’s right-sized for most budgets.  Even with an enterprise or in cloud deployment circumstances, the cost is pretty minimal for the needed infrastructure.
  • Written by MITRE, it has very strong backing.  As a not-for-profit company with deep federal support, it’s not going away or likely to be privatized.
  • It also has an active, very proactive user base and support network as an open source project.
  • As an open program it can be changed, adapted or modified to really hone in on local needs.
  • Compact enough to roll up into a VM and take into an incident or distribute in the cloud or at an enterprise level.

I could go into even more details, like its diversity of threat data points that can be added, linked and pivot or turn on, but I really want to focus on its use.  When a client agrees and we help bring CRITs online, then we get to show them how it shines.

Companies understand the need for threat intelligence.  They understand that they need to be aware of cyber-risks – or they really don’t have an efficient security strategy.  People are realizing that even size — the idea that they are too small to be a target – isn’t a factor any more.  In fact, being small (~5M or less) can be worse, as nearly half of cyber attacks target businesses of this size.  Even more bad news is that 60% of them go out of business within 6 months of an attack.

So what’s CRITs got to do with that?

I’ve not found good statistics for a number of companies that actually have a TIP — spreadsheets, text files and little databases of data don’t count as a platform — so I have to go off more of my own experience.  I’ve directly helped or assisted teams helping 64 companies.  In that mix, only 22 had what I might remotely consider a TIP.  Nine (9) of those used an external online community, such as Alien Vault or IBM’s XForce exchange.  Both of these are phenomenal communities.  Each provides a measure of privacy, but I’ve yet to see a good security person not get a case of hives when they consider the thought of uploading their internal intelligence into either community or the others like them.  So, if you toss out those 9 from the mix you get an ugly number of 13 out of 64 companies that had a TIP.  That comes out to a little better than 14% by my math.

That’s pretty bad.

For the small percent that do have one, it’s an even smaller number who use their TIP for more than a dumping ground for indicators.  For the dumping ground category, the intelligence processing is either done outside of their TIP — kinda defeating the purpose or not at all.  Neither situation is good.

So here’s what we do.

When we fire up CRITs, we give the users a firm walkthrough on its capability.  It has a lot of horse power and to stay on the vehicle analogy, a lot of gears you can work through.  It’s easy to get into first gear.   After all, shoveling indicators into the platform doesn’t take much effort.  Given the analogy it should be a given that you can’t achieve a high speed in first gear.  You have to shift.


Second gear means investing internal information from your enterprise into CRITs.  That’s asset inventories, traveler data, services, business associates, credentials, configurations, and all the other valuable internal information you can derive by looking inside your own enterprise.  Second gear is all about insight.

Third gear means linking it together, with that phishing email to its targets internally, their sections, divisions, assets and credentials (identity).  Now you can tell if, over time, a phishing attack is following a specific person or whether it hit a specific subset of your company.  Or if that one person, physical asset, or department is spawning the most service tickets for you.  Third gear is correlating activity to your environment.

Fourth gear is starting to profile your data.  Here’s where the intelligence work really starts.  Now you are profiling information previously seen (second gear) or linked (third gear) to what you know about your enemies – those pernicious shadows lurking around and sadly, sometimes  inside your network.  CRITs can be leveraged to include very textual, wiki-style documentation.  It also can contain attack patterns, TTPs, OODA cycles, market analysis and other intelligence research and reporting.  These can be linked and profiled to specific activity and sometimes to a specific Actor or campaign of activity.  The data can be graphed, stacked, contrasted, measured and otherwise analyzed.  So, fourth gear is all about profiling and analyzing.

Fifth gear is overdrive.  Three power words for Threat Intelligence are Prevent, Detect and Inform.  In overdrive you build patterns, determinations, and models of adversarial activity.  These actions feed the act of taking steps to discover adverse activity (detect), stop negative events from occurring (Prevent) and report on their potential (Inform).  Here you define the goals and strategies of your enemies and to a certain extent, define some of those from the incomplete snapshot of data you have at hand.  Overdrive, that fifth gear is all about empowering your identity management to function better; provide intel to lead and guide the security operations center; help data leak prevention teams stop leaks, and so on.  It’s also about enriching your corporate leaders’ understanding of threats, risks and security.

CRITs, I think you can see, can be powerful.  Not standalone, of course.  It’s not an AI or an automated intelligence platform.  Those are well and good but nothing replaces grey matter or or its pattern matching capability.  Not yet, at least.  It needs people–ones trained to use it and with skills at getting the threat data to transform into information and then built into intelligence.  This is something we are especially suited for helping people achieve, both in the training and servicing arena.



Ready to take the next step with CRITS? Learn more and sign up for author

Photo credit:

About the author

Monty St John

Monty is a security professional with more than two decades of experience in threat intelligence, digital forensics, malware analytics, quality services, software engineering, development, IT/informatics, project management and training. He is an ISO 17025 laboratory auditor and assessor, reviewing and auditing 40+ laboratories. Monty is also a game designer and publisher who has authored more than 24 products and 35 editorial works.