Getting Social with CRITs

Screenshot_2019-10-08 CRITs Collaborative Research Into Threats

It’s all about relationships. That’s a truism in social situations and in CRITs. In fact, go ahead and think of CRITs as a social animal. CRITs allows you to pretty much connect via relationship every top level item (TLO – link needed) and many sub-items and describe that connect via CYBOX (link) terms. While I’m not 100% bought into CYBOX and how they do business, it does the work I need and is built into CRITs as part of its nuts and bolts.

You don’t need much to make that happen.  A source (source type example below), the relationship you want to build and the destination (destination type below).  Assign a confidence level and a textual reason and you’re off to the race!

Think about how powerful that can be.  Correlation is a prime factor of intelligence work. Saying one element of the investigation is linked to another (and how) is a key function to building a sight picture into the activity at hand. CRITs lets you do that simply via saying one data point, say a domain, is linked to an IP. It also lets you define how with pretty decent flexibility. It will also allow for the creation of relationship chains and diagramming. Not just that 1st level connection, say domain to IP, but also sub-depths of the hosting provider that leaves that IP and who, in turn, the owner of that is, and so on down the rabbit hole of connections. This allows you to build structured constellations of connections and graph them. If you are visually inclined, that’s a fabulous tool to rapidly understand how everything is linked and give the cues to perform the threat hunting you need. If you use Maltego as well, then bridging into mcrits means you can use Maltego to visualize and recon more data that can be, in turn, delivered back to CRITs to further build your intelligence data base.

While I’m on the topic, CRITs is NOT a relational storehouse. It uses mongo for its backend, which is by no means a relationship database. It does overcome that by either linking or embedding information. Feel free to dig into more on data schema and how mongo works here.

Relational activity can be simulated, but it’s better performed via CRITs services and reintroduced into CRITs than performed within it.

Back to relationships. This capability, by and large, isn’t complicated to perform individually, but can get complicated as the links grow. CRITs does a good job of managing this by enforcing 1-step relationships only. It does mean you have to dig sometimes to find exactly what you need, but given how powerful its search capability is, that’s not really an issue.

About the author

Monty St John

Monty is a security professional with more than two decades of experience in threat intelligence, digital forensics, malware analytics, quality services, software engineering, development, IT/informatics, project management and training. He is an ISO 17025 laboratory auditor and assessor, reviewing and auditing 40+ laboratories. Monty is also a game designer and publisher who has authored more than 24 products and 35 editorial works.