Luatix
Published in

Luatix

Releasing an integration with the field: OpenCTI + Tanium Platform

Real time visibility, detection and forensics capabilities as well as scalable control and remediation over all endpoints are key factors of success when it comes to react quickly to a security incident. That’s the value proposition (among others) of the Tanium Platform.

One of the Tanium strengths’ is also to allow the usage of ad-hoc contents from third party products and organizations to enhance the built-in features of its detection engine, hunting sensors and reputation databases. The integration between OpenCTI and Tanium is definitely based on this flexibility and openness (read the Tanium blog post).

Tanium Platform overview

Developing the Tanium connector for the OpenCTI platform was conducted with three distinct objectives in mind:

  1. Bring Cyber Threat Intelligence knowledge from OpenCTI to Tanium in real time, for detection or hunting purposes.
  2. Give the ability to SOC / IR analysts to quickly pivot from pieces of intelligence to more contextual data from Tanium to OpenCTI.
  3. Automatically return hits about a specific indicators or malicious patterns from the IT environment to OpenCTI (sightings).
High level implementation

Industrialized cyber threat hunting

When we speak about cyber threats hunting campaigns, it’s important to remind that this concept cover two different and complementary approaches, using the logs & telemetry data-lake or at the endpoint level:

  • searching for specific fresh indicators or new signatures such as YARA, SIGMA or Tanium Signals ;
  • exploratory research to find deviant or abnormal behaviors which could turn out to be malicious.

If exploratory research are part of the daily work of a SOC analyst, the search of indicators and signatures could be automated using a properly configured Threat Intelligence Platform. Conducting these campaigns using the logs / telemetry data-lake is something organizations already started to do, searching patterns against “hot” indexes, with a variable retention period depending on the volume of data.

Using OpenCTI to select indicators / signatures of Emotet of November 2020

The Tanium Threat Response module is responsible of maintaining a “telemetry” database (Recorder DB) at the endpoint level (among other things). This database contains events about processes, network connections, registry keys, files, etc. and includes process ancestries.

Using appropriate content and queries on these databases allows hunters to search for patterns and indicators in different types of data that are not necessarily stored in the data-lake, for instance because of cost issues. Also, the hunting workload is distributed across all endpoints that allow campaign results to be displayed in a few minutes.

Retro-hunting and live hunting

The OpenCTI Tanium Connector

As you may know, a new type of connector has been introduced in OpenCTI Version 4, allowing developers to directly consume OpenCTI data using the Redis stream of events. When using this approach, connectors process OpenCTI knowledge in real time. This is the case of the Synchronizer one (which provides the ability to synchronize in real time an OpenCTI instance with multiple remote OpenCTI platforms).

The OpenCTI Tanium Connector was built using this new concept, so all cyber threat intelligence data are synchronized in real time from OpenCTI to Tanium, based on criteria defined by the administrators:

  • the type of indicators to synchronize (STIX patterns, YARA, Tanium Signals, etc.);
  • the type of observable to synchronize (IPv4 Addresses, Domain Names, File hashes, etc.);
  • a filter to import only indicators with a specific label (if the label is removed in OpenCTI, the entity will also be deleted from Tanium);
  • a filter to import observables containing hashes with a specific label in the Reputation blacklist;
  • some quickscan configs.
Tanium connector configuration

In OpenCTI, data can be added manually by users of the platform but in most cases, the knowledge is coming from various sources (“Import connectors”) and ingested by n workers in parallel.

OpenCTI Tanium connector workflow

When the connector is launched, it automatically creates a specific Source workbench within the Tanium platform:

Open Source created by the connector

If an indicator or an observable is tagged with the configured label in OpenCTI, it is automatically imported in this workbench (with its associated labels):

List of indicators imported from OpenCTI
The YARA rule in Tanium

If you would like to use this connector, it is available directly in the OpenCTI connectors repository. You can read more on the Tanium blog post.

Go find something awesome!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store