The Sophos 2023 Threat Report highlights how modern attackers are becoming increasingly organized as the cybercrime economy continues to transform into an industry. A major opportunity whereby defenders can better protect against new “malware-as-a-service” is by sharing threat intelligence.
This is one of the core tenets of Sophos’ security philosophy and a vision behind the SophosLabs Intelix platform. From supporting the initiative of releasing the largest-ever production scale malware research dataset for the general security community to providing access to powerful threat analysis functionality of the Intelix platform to CompTIA members, Sophos has demonstrated a significant commitment to innovate and collaborate for cyber threat intelligence efforts.
Understanding the integration with OpenCTI
After extending the Intelix platform’s threat intelligence and analysis functionality to MISP, ThreatQuotient, and CompTIA’s ISAO, we’ve added another way for customers to consume our threat intelligence: through integration with OpenCTI.
OpenCTI is an open-source and freely accessible platform that allows security practitioners and security teams to manage, ingest, and normalize valuable cyber threat intelligence. This includes knowledge about various threat actors’ current TTPs and behaviors, ongoing malicious campaigns, and the monitoring of new malware threats and vulnerabilities.
ANSSI, the French national agency for information systems security, and the Computer Emergency Response Team for the EU (CERT-EU) remain the primary contributors to the OpenCTI project. It has been built to structure, store, organize, and visualize technical and non-technical information about cyber threats. Find out more about OpenCTI by watching this video.
Integration with SophosLabs Intelix will provide the OpenCTI community with easy to understand threat intelligence that fosters better informed security decisions for a wide range of threat artifacts, including files, web pages, and IP addresses, covering both known threats as well as previously unseen risks.
The below example shows the OpenCTI dashboard where a user is leveraging SophosLabs Intelix threat intelligence to enrich file and URL data.
The highlighted selection in the left column, which says “Observations,” represents stateful properties such as the hash of a file or lookup reputation data for a URL. When combined with contextual or actionable threat intelligence sources like the Intelix platform, such observables help identify indicators of compromise (IOCs) for various threat artifacts.
See another illustration given below, which explains how the integration of SophosLabs Intelix threat intelligence provides more drill-down data to OpenCTI users.
In the wake of the growing sophistication and complexity of threats and IT tools, security practitioners and threat researchers find little help with text-intensive and semi-structured threat intelligence data. By combining SophosLabs Intelix’s accurate and actionable threat intelligence with OpenCTI’s interactive visual analytics, security professionals can significantly aid threat detection, investigation, and response actions.
To leverage Intelix data in the OpenCTI environment, users are required to add their API key for SophosLabs Intelix (from AWS Marketplace) into the OpenCTI configuration for enrichments.
If you have any questions, please post a comment below or reach out to me directly.