2.1.7. Active CTI engine

2.1.7.1. CTI module overview

The CTI module uses Indicators Of Compromise (IOC) to generate alerts.

The CTI module is composed of:

A database of Indicators Of Compromise named Gatewatcher CTI
The Active CTI engine: it generates Sigflow rules on the basis of the database of Indicators Of Compromise in order to raise alerts
The Retro hunt engine: it searches the Indicators Of Compromise (defined in the database) in metadata (corresponding of the network flow captured by Sigflow)

Note

An additional license is required to activate this module. It is therefore not automatically activated in the solution.

2.1.7.2. Introduction

2.1.7.2.1. For what types of threats is this engine designed?

The purpose of the Active CTI engine is detection:

Malicious URLs
Malicious domain names

2.1.7.2.2. How does this particular engine detect threats?

The Active CTI engine generates specific Sigflow rules based on the compromise indices of the Gatewatcher CTI platform.

These rules configure the Sigflow engine to raise alerts if it finds malicious URLs/ domain names in the network feed it monitors.

2.1.7.2.3. How does Active CTI work in the GCenter?

GCenter regularly receives evidence of compromise from the Gatewatcher CTI platform.
Based on this information, the Active CTI engine produces new Sigflow rules daily.
These rules are grouped in a new source named 'Active_CTI' and can therefore be included in a ruleset with other rule sources.
This ruleset is then integrated into the GCap Profile sent to the Sigflow engine to configure it.
These rules allow it to raise alerts when these rules correspond to the flow.
When an alert is raised, it is displayed in the various dashboards: NDR and Kibana.

2.1.7.3. Events generated

Events generated by the engine are alerts of the Sigflow type.
They will therefore be available in the ACTIVE CTI dashboards.
These are displayed:

In the main interface named WEB UI of the GCenter in the `Alerts` screen

The main interface named WEB UI is described in Overview of the WEB UI.
- To view the alerts, select the `Active CTI` engine filter.
  
  See the presentation of the Web UI `Alerts`.
- Click on the selected alert.
  
  The `Alert details` window is displayed.
  
  The detailed information of this alert is displayed.
In the Kibana UI interface
- In the main interface WEB UI, click on the `Hunting` icon.
  
  The interface displayed is the interface named Kibana UI (described in Overview of the Kibana GUI).
- Click on the `Active CTI` category of the `Alerts` section then the `Overview` or `Messages` tab.
  
  The detailed information of this alert can be viewed in table or json format.
  
  ActiveCTI alerts are alerts that can be filtered by searching for the term event.module: active_cti in the Kibana search bar.

2.1.7.3.1. Example of an Active CTI alert in the WebUI

The presentation of the Alert details is given in the Alert details window.

The counters are given in the Active CTI logs data structure.

2.1.7.3.2. Active CTI logs data structure

The logs are composed of different parts:

The leading part
The source part defined by "_source"
The field portion defined by "_fields

2.1.7.3.2.1. The header part of Active CTI logs

The header section contains:

"_index": "engines_alerts-2024.11.26-2",
"_id": "q5zQZ5MBe7Ggdfg2fx7DG",
"_version": 1,
"_score": 0,

The detailed information is given in the table (Counters of the header part of logs).

2.1.7.3.2.2. The source part of Active CTI

The source part is defined by "_source" in the logs.

Note

The data displayed on the Webui (alerts details window) is a part of the data displayed on the Extended document on the Kibana interface.
All data can be exported to a SIEM via syslog (an example of an exported alert is shown).
The detailed information is given in the tables ( Data related to detection results).

2.1.7.4. Management of the engine

2.1.7.4.1. Viewing the engine status

The current engine status is displayed in `Health checks` screen.

2.1.7.4.2. CTI update

2.1.7.4.2.1. The database of indicators of compromise

If a malicious file was not detected as such by Malcore during its analysis, because it was too recent for the Malcore antivirus database for example, then if one of the indices matches the hash of the file in question in the metadata, an alert will be raised.

Note

The correlation of indices and metadata will depend on the data retention time configured on the GCenter.

Match analysis between indices and metadata is triggered when updating the index database.
It is therefore only possible to trigger the match analysis manually by updating the database of indicators of compromise manually.
This database of indicators of compromise is included in the CTI.gwp file.
There are three different ways to update this database:

Manual update with cti.gwp package
Online update: the download is performed periodically based on the package posted by Gatewatcher
Local update: the download is performed periodically based on the package in the local repository.

The update frequency depends on the threat db update parameters.

See the section Dedicated modules for managing updates : threat-DB update et software update and in particular Update presentation.

Note

In order to optimize the implementation of the update of the database in Local` mode, it is necessary that the local repository retrieves the package cti.gwp every hour.

Otherwise the update as well as the match search will only be performed according to the recovery frequency of the package on the local deposit.

2.1.7.4.2.2. The Active CTI engine update

The engine is updated with each new version of the GCenter.

2.1.7.4.3. Active CTI configuration

The configuration interface is used:

To active the Active CTI engine
To modify the engine parameters

The management interface is described in `Active CTI` screen.

The procedure is described in Setting up the Active CTI engine.

2.1.7.5. Alert Analysis

The alerts are displayed on a specific screen: this screen is described in Web UI `Alerts`.
The general procedure for analyzing alerts is described in Using of NDR dashboards.
The specific procedure for analyzing Active CTI alerts is described in the Analysing the Active CTI alerts.