close
Gartner Report:
Innovation Insight for
Security Orchestration,
Automation and Response DOWNLOAD NOW

How to Manage and Integrate Signatures in ThreatConnect

Signature Management in ThreatConnect

ThreatConnect API with SDKs enables users to develop tools that can automate signature generation and integrate signatures into existing security products

When most people first see the ThreatConnect security platform, they may be introduced to the Signatures feature that allows analysts and users to store multiple types of signatures. However, the functionality of signatures within ThreatConnect is not limited to merely storage. The associative nature of indicators and groups within ThreatConnect enables signatures to be associated directly with their related indicators and incidents, while the extensibility of the ThreatConnect API with three SDKs enables users to develop tools that can automate signature generation and integrate signatures from ThreatConnect into existing security products.

Creating Signatures in ThreatConnect

Signatures can be added into the ThreatConnect cloud by accessing the "Import" menu from the dashboard or browse screen, and selecting "Signature".

signature-management-threatconnect

The Signature import page allows you to select a local signature file to upload.

import-signature-acme

You can set the type of signature from a predefined list of signature types in the "Type" dropdown menu:

 

snort-yara-cybox-openioc-clamav-suricata-bro-regex

 

Once a signature file has been uploaded for import, a preview of that signature's contents will be displayed.

import-signature-management-preview

 

Clicking "Next" will lead you to the "Confirm" page, where you enter the Signature Name to be used within ThreatConnect, and may optionally add a default Description and Source attribute.

 

The next page allows you to associate the signature to any related groups or indicators.

import-signature-new-indcator

 

imported-signature-threatconnect

Once imported, additional information such as attributes, tags, and security labels can be added to the Signature from the overview page.

signature-overview-page-threatconnect

Retrieving Signatures from ThreatConnect

An existing signature within ThreatConnect can be updated, viewed, and downloaded from the "Signature File Content" section of the Signature's Details page.

signature-save-screen


Signatures via API SDK

The existing ThreatConnect API SDK available on our Github page supports both creation and retrieval of signature groups in ThreatConnect. The inherent extensibility of this solution allows customers to programmatically set and retrieve signatures from the platform, which can then be sent to their defensive products and internal analysis systems.

 

API Use Case Example: Automated Snort Ruleset Generation

Snort is a common type of signature for use with network based defenses such as Intrusion Detection (IDS) and Intrusion Prevention (IPS) Systems. As such, Snort signatures can be created from any network-based indicators or traffic captures. Network indicators are extremely common and prevalent within ThreatConnect. Thus, there is a natural use case in generating Snort signatures from network indicators already found within ThreatConnect which allows users to take those indicators directly from the platform and generate signatures for their environments.

 

ThreatConnect's Research team has been leveraging such a system for some time now.
Consider the following example Incident:

signature-save-screen

This Incident contains file and URL indicators associated with Ransomware activity, with threat levels at 4 skulls and confidences at 70%.

signature-url-indicator
Using the ThreatConnect API, we can retrieve any network indicators associated with this Incident, and filter on ones that have threat levels at 3 skulls or higher, and confidences at 70% or higher (these are the values that the ThreatConnect Research team has decided on based upon our rating classification system; however an organization can easily tailor them to fit their own classification and rating requirements).

Those network indicators that meet the prerequisite confidence and threat level ratings can then be processed and appended to a Snort ruleset that is generated using a predefined signature configuration template. This Snort ruleset can then be added back into ThreatConnect as a Signature via the API, and associated to both the indicators and group from which the signature was derived.

signature-api

Conclusion

ThreatConnect's built-in signature functionality is not merely limited to just storing signatures. The ability to associate signatures with their related indicators and groups establishes context for what would otherwise be just another signature that a security team is required to manage and track. The inherent flexibility of the ThreatConnect API with SDK and integrations provides users the opportunity to not only generate their own signatures from content already within the platform, but also push signatures out to their defensive and endpoint products if necessary. These features provide a much-needed all-around capability for managing and integrating signatures.

ABOUT THE AUTHOR

The ThreatConnect Research Team: is an elite group of globally-acknowledged cybersecurity experts, dedicated to tracking down existing and emerging cyber threats. We scrutinize trends, technology and socio-political motivators to develop comprehensive knowledge of the cyber landscape. Then, we share what we’ve learned so that you can protect your organization, and your team can take precise action against threats.