Releasing an integration with the field: OpenCTI + Tanium Platform
Real time visibility, detection and forensics capabilities as well as scalable control and remediation over all endpoints are key factors of success when it comes to react quickly to a security incident. That’s the value proposition (among others) of the Tanium Platform.
One of the Tanium strengths’ is also to allow the usage of ad-hoc contents from third party products and organizations to enhance the built-in features of its detection engine, hunting sensors and reputation databases. The integration between OpenCTI and Tanium is definitely based on this flexibility and openness (read the Tanium blog post).
Developing the Tanium connector for the OpenCTI platform was conducted with three distinct objectives in mind:
- Bring Cyber Threat Intelligence knowledge from OpenCTI to Tanium in real time, for detection or hunting purposes.
- Give the ability to SOC / IR analysts to quickly pivot from pieces of intelligence to more contextual data from Tanium to OpenCTI.
- Automatically return hits about a specific indicators or malicious patterns from the IT environment to OpenCTI (sightings).
Industrialized cyber threat hunting
When we speak about cyber threats hunting campaigns, it’s important to remind that this concept cover two different and complementary approaches, using the logs & telemetry data-lake or at the endpoint level:
- searching for specific fresh indicators or new signatures such as YARA, SIGMA or Tanium Signals ;
- exploratory research to find deviant or abnormal behaviors which could turn out to be malicious.
If exploratory research are part of the daily work of a SOC analyst, the search of indicators and signatures could be automated using a properly configured Threat Intelligence Platform. Conducting these campaigns using the logs / telemetry data-lake is something organizations already started to do, searching patterns against “hot” indexes, with a variable retention period depending on the volume of data.
The Tanium Threat Response module is responsible of maintaining a “telemetry” database (Recorder DB) at the endpoint level (among other things). This database contains events about processes, network connections, registry keys, files, etc. and includes process ancestries.
Using appropriate content and queries on these databases allows hunters to search for patterns and indicators in different types of data that are not necessarily stored in the data-lake, for instance because of cost issues. Also, the hunting workload is distributed across all endpoints that allow campaign results to be displayed in a few minutes.
The OpenCTI Tanium Connector
As you may know, a new type of connector has been introduced in OpenCTI Version 4, allowing developers to directly consume OpenCTI data using the Redis stream of events. When using this approach, connectors process OpenCTI knowledge in real time. This is the case of the Synchronizer one (which provides the ability to synchronize in real time an OpenCTI instance with multiple remote OpenCTI platforms).
The OpenCTI Tanium Connector was built using this new concept, so all cyber threat intelligence data are synchronized in real time from OpenCTI to Tanium, based on criteria defined by the administrators:
- the type of indicators to synchronize (STIX patterns, YARA, Tanium Signals, etc.);
- the type of observable to synchronize (IPv4 Addresses, Domain Names, File hashes, etc.);
- a filter to import only indicators with a specific label (if the label is removed in OpenCTI, the entity will also be deleted from Tanium);
- a filter to import observables containing hashes with a specific label in the Reputation blacklist;
- some quickscan configs.
In OpenCTI, data can be added manually by users of the platform but in most cases, the knowledge is coming from various sources (“Import connectors”) and ingested by n workers in parallel.
When the connector is launched, it automatically creates a specific Source workbench within the Tanium platform:
If an indicator or an observable is tagged with the configured label in OpenCTI, it is automatically imported in this workbench (with its associated labels):
Go find something awesome!