Posted
Signature Management in ThreatConnect
ThreatConnect API with SDKs enables users to develop tools that can automate signature generation and integrate signatures into existing security products
When most people first see the ThreatConnect security platform, they may be introduced to the Signatures feature that allows analysts and users to store multiple types of signatures. However, the functionality of signatures within ThreatConnect is not limited to merely storage. The associative nature of indicators and groups within ThreatConnect enables signatures to be associated directly with their related indicators and incidents, while the extensibility of the ThreatConnect API with three SDKs enables users to develop tools that can automate signature generation and integrate signatures from ThreatConnect into existing security products.
Creating Signatures in ThreatConnect
Signatures can be added into the ThreatConnect cloud by accessing the “Import” menu from the dashboard or browse screen, and selecting “Signature”.
The Signature import page allows you to select a local signature file to upload.
You can set the type of signature from a predefined list of signature types in the “Type” dropdown menu.
Once a signature file has been uploaded for import, a preview of that signature’s contents will be displayed.
Clicking “Next” will lead you to the “Confirm” page, where you enter the Signature Name to be used within ThreatConnect, and may optionally add a default Description and Source attribute.
The next page allows you to associate the signature to any related groups or indicators.
Once imported, additional information such as attributes, tags, and security labels can be added to the Signature from the overview page.
Retrieving Signatures from ThreatConnect
An existing signature within ThreatConnect can be updated, viewed, and downloaded from the “Signature File Content” section of the Signature’s Details page.
Signatures via API SDK
The existing ThreatConnect API SDK available on our Github page supports both creation and retrieval of signature groups in ThreatConnect. The inherent extensibility of this solution allows customers to programmatically set and retrieve signatures from the platform, which can then be sent to their defensive products and internal analysis systems.
API Use Case Example: Automated Snort Ruleset Generation
Snort is a common type of signature for use with network based defenses such as Intrusion Detection (IDS) and Intrusion Prevention (IPS) Systems. As such, Snort signatures can be created from any network-based indicators or traffic captures. Network indicators are extremely common and prevalent within ThreatConnect. Thus, there is a natural use case in generating Snort signatures from network indicators already found within ThreatConnect which allows users to take those indicators directly from the platform and generate signatures for their environments.
ThreatConnect’s Research team has been leveraging such a system for some time now.
Consider the following example Incident:
This Incident contains file and URL indicators associated with Ransomware activity, with threat levels at 4 skulls and confidences at 70%.
Using the ThreatConnect API, we can retrieve any network indicators associated with this Incident, and filter on ones that have threat levels at 3 skulls or higher, and confidences at 70% or higher (these are the values that the ThreatConnect Research team has decided on based upon our rating classification system; however an organization can easily tailor them to fit their own classification and rating requirements).
Those network indicators that meet the prerequisite confidence and threat level ratings can then be processed and appended to a Snort ruleset that is generated using a predefined signature configuration template. This Snort ruleset can then be added back into ThreatConnect as a Signature via the API, and associated to both the indicators and group from which the signature was derived.
Conclusion
ThreatConnect’s built-in signature functionality is not merely limited to just storing signatures. The ability to associate signatures with their related indicators and groups establishes context for what would otherwise be just another signature that a security team is required to manage and track. The inherent flexibility of the ThreatConnect API with SDK and integrations provides users the opportunity to not only generate their own signatures from content already within the platform, but also push signatures out to their defensive and endpoint products if necessary. These features provide a much-needed all-around capability for managing and integrating signatures.