close
Gartner Report:
Innovation Insight for
Security Orchestration,
Automation and Response DOWNLOAD NOW

Why Build Apps in ThreatConnect

Why Build Apps and Share them in ThreatConnect’s TC Exchange™ - Collaborate to Strengthen Your Threat Intelligence Practice
If you’ve spoken with anyone here at ThreatConnect, you may have noticed that we, and many of our customers are all pretty excited about the launch of ThreatConnect’s TC Exchange™.

 

tcexchange

I thought it would be a good idea to explain why we are buzzing about TC Exchange, and its ability to strengthen your threat intelligence practice by building custom applications for data ingestion and processing, workflows and analysis.  

Screen Shot 2015-08-24 at 3.41.22 PM

 

                                                                                        WHY ARE WE EXCITED ABOUT TC EXCHANGE?

TC Exchange empowers our users to customize ThreatConnect in a variety of ways, allowing them to build a stronger threat intelligence practice. We’ve built an application runtime environment and released associated SDK's that allow our users to install, schedule and run applications that integrate with our already powerful API 

TC-Icons-Runtime-Environment-DarkTC-Icons-SDK-Dark

So what’s new here? Before TC Exchange, integrations were either hard coded in the platform and not easily configurable by the users or, if using the API, they always had to be run and configured on a separate server running programming language such as Python. Now installed applications can be configured easily from the ThreatConnect UI without having to tweak the integration code. This is a very powerful capability that allows integrations to be ‘plug ‘n play.’

 

A commercial Threat Intelligence Platform should be completely customizable to specific intelligence needs and processes, and we’re giving our customers the ability to do just that. However, what excites us the most is what this underlying technology will allow us to do for our customers with the TC Exchange.

 

                                                                                HOW CAN TC EXCHANGE HELP MY THREAT INTELLIGENCE PRACTICE?

The TC Exchange gives our users the ability to download applications, whether built by our team, a partner, or another user, and run them in their own instance of ThreatConnect. In the public cloud instance, subscribing customers can run jobs for available apps in the TC Exchange. This means that users can build customized apps for a variety of purposes and can choose to share those apps in our cloud based exchange for others to use. Beyond simply sharing indicators or tailored intelligence, TC Exchange provides the ability to community-source applications and tools, allowing users to share efficient processes with each other.

 

“That’s great,” you say. “But what does this mean to me?”

 

Let me flesh this out a bit more by describing what applications in ThreatConnect can do.

 

INTEGRATIONS AND THREAT DATA INGESTION

normalmizeddata (1)

Apps in ThreatConnect can be used for traditional integrations such as ingesting structured and unstructured intelligence and integrating with defensive products.  For those with more mature processes, you can also enrich indicators from various reputation services, push malware to one of our many automated malware analysis partners, or create customized ratings based on intelligence you’re receiving or on your own past incidents. These apps can be chained together to complete an entire workflow from discovery to detection.

END-TO-END WORKFLOWS

workflow

Allow me to give you an example of an end-to-end workflow we can enable. Let’s say a customer is using ThreatConnect to store malicious files associated to known threats that they have dealt with in the past. Using an application running in ThreatConnect, the malware is automatically queued for analysis in ThreatGrid. The analysis is returned and parsed in ThreatConnect, including related callout domains and IP addresses. A second application now kicks in based on the thresholds set for the indicators derived from the analysis. If there is enough confidence that the new indicators are evil, they are sent to the SIEM for alerting or even to a Firewall or OpenDNS Umbrella for blocking. The configuration of the malware analysis returned and the thresholds for sending derived indicators for alerting or blocking are all set by the user from within ThreatConnect. Many of these apps will be available from us or our partners in TC Exchange for you to leverage in the public cloud or in your private instance.

 

CUSTOM PROCESSING OF THREAT DATA AND INTELLIGENCE

customanalysisapps

However, you might wish to build your own or tweak existing applications. There are several reasons why you may want to do this. For instance:

  • If you have a custom, closed source of intelligence you want to ingest into ThreatConnect.
  • You may track adversary relevance in ThreatConnect based on a set of custom attributes and wish to automatically update those attributes based on incidents they are newly associated with.
  • You can chain multiple existing apps together and create custom triggers between them.

For processing intelligence with our API, what you can do with an app is limited only by your creativity. We support you with a growing library of open sourced applications for you to tweak to your needs. With our fully supported and documented Java and Python SDK, a Sandbox instance of ThreatConnect to build and test against, and support from our team with questions and troubleshooting as you go, we ensure you can easily customize ThreatConnect to your needs for ingestion, processing, analysis, and action on threat intelligence.

TC-Icons-Sandbox-DarkIf you’ve built an application for processing intelligence, chances are others can benefit from it too. Developers are encouraged to share their code within the TC Exchange, get some kudos from their peers, and help others make intelligence-informed decisions about their security posture. All apps can be submitted by users to ThreatConnect. Once the app makes it through our thorough code and security review, we’ll make it available for download to other users and if applicable to be run in the ThreatConnect Public Cloud.

 

Not yet a customer you say?

 

No problem! We are opening up Developer Accounts for the purpose of developing custom applications for the ThreatConnect platform. If you have a great idea for an app, and are serious about building it, contact us at exchange@threatconnect.com.

 

We’re holding a contest for you to put our app development team to the test. Our Best App Idea Contest runs from august 24th through October 16th. Read more here to learn more about the contest and rules. Users can send their ideas for the best app, the winner will get a free year’s subscription to ThreatConnect and best of all we’ll build that application for you!

 

There should no longer be a question of whether or not a commercial TIP can do what you need it to do. We’ve built ThreatConnect to be extensible to the needs of mature Fortune 500 & government security teams, as well as those just getting started with utilizing threat intelligence. The TC Exchange and application runtime environment are just the evolution of the trail we began blazing two years ago. We have not put our machete's away yet.

 

Learn More About the App Idea Contest!

Learn More About TC Exchange!

ABOUT THE AUTHOR

Andy is a community respected analyst, innovator, and thought leader. He has over 15 years of experience working in the Intelligence and Computer Network Defense Communities from within the U.S. DoD and Fortune 500 companies. He brings his passion for intelligence-led defense to his role as Product Director for ThreatConnect. Andy is a co-founder of ThreatConnect, Inc. and is a co-author of “The Diamond Model for Intrusion Analysis“. Andy is a veteran of the U.S. Army, holds a Diploma in Chinese Mandarin and a Bachelor of Science from Excelsior University. He lives in Columbia, MD where he regularly climbs rocks and enjoys getting Thai Dynamite Chicken with his wife and three children.