We've been hit, how can CyberDefenses help?

Getting Social with CRITs

CyberDefenses - CDI Logo

It’s all about relationships. That’s a truism in social situations and in CRITs. In fact, go ahead and think of CRITs as a social animal. CRITs allows you to pretty much connect via relationship every top level item (TLO – link needed) and many sub-items and describe that connect via CYBOX (link) terms. While I’m not 100% bought into CYBOX and how they do business, it does the work I need and is built into CRITs as part of its nuts and bolts.

You don’t need much to make that happen.  A source (source type example below), the relationship you want to build and the destination (destination type below).  Assign a confidence level and a textual reason and you’re off to the race!

Think about how powerful that can be.  Correlation is a prime factor of intelligence work. Saying one element of the investigation is linked to another (and how) is a key function to building a sight picture into the activity at hand. CRITs lets you do that simply via saying one data point, say a domain, is linked to an IP. It also lets you define how with pretty decent flexibility. It will also allow for the creation of relationship chains and diagramming. Not just that 1st level connection, say domain to IP, but also sub-depths of the hosting provider that leaves that IP and who, in turn, the owner of that is, and so on down the rabbit hole of connections. This allows you to build structured constellations of connections and graph them. If you are visually inclined, that’s a fabulous tool to rapidly understand how everything is linked and give the cues to perform the threat hunting you need. If you use Maltego as well, then bridging into mcrits means you can use Maltego to visualize and recon more data that can be, in turn, delivered back to CRITs to further build your intelligence data base.

While I’m on the topic, CRITs is NOT a relational storehouse. It uses mongo for its backend, which is by no means a relationship database. It does overcome that by either linking or embedding information. Feel free to dig into more on data schema and how mongo works here.

Relational activity can be simulated, but it’s better performed via CRITs services and reintroduced into CRITs than performed within it.

Back to relationships. This capability, by and large, isn’t complicated to perform individually, but can get complicated as the links grow. CRITs does a good job of managing this by enforcing 1-step relationships only. It does mean you have to dig sometimes to find exactly what you need, but given how powerful its search capability is, that’s not really an issue.

For more information on the powerful tool that is CRITs, sign up for our Maximizing CRITS CyberSecurity Training.

About the author

Monty St John

Monty St John has been in the security world for more than two decades. When he is not responding to incidents he teaches classes in Threat Intelligence, Incident Response and Digital Forensics. Monty is a frequent contributor to community and industry events, presenting at BSides D.C., BSides Austin, Charm, Derbycon and several others. He lives in Austin, Texas and is a security trainer for CyberDefenses, Inc. based out of Round Rock, Texas.

Contact CyberDefenses today to learn how we can help your company’s cybersecurity needs.