We have taken a stand in the past relative to STIX and TAXII. We believe that these are at the top of the list when it comes to cyber intelligence interoperability. Sadly, there are not yet a lot of devices that accept STIX files. There are more today than there were yesterday, though, and there will be more tomorrow. So the trend is in the right direction. What is needed, among other things, to push this along, though, is a growing collection of devices that can both consume and create STIX files. This month's First Look is exactly that. And it is exactly that on steroids.
The EclecticIQ Platform addresses STIX head on. We have been watching the evolution of this tool for a while and for what it is intended there is pretty much nothing around that can beat it. What it does is act as a "combiner" (our unofficial term) for a large number of cyber threat analysis sources. It then applies a lot of smarts to analysis, correlation and normalization of the data. It supports a variety of formats - including STIX 1.0, 1.1.1, & 1.2, XML and JSON, PDF and text.
One of the features that we particularly liked is that the tool is characterized as "analyst-centric." There are a lot of tools of various types that can do a good job of assisting analysis but not quite as many that do everything from the perspective of the threat intelligence analyst rather than the information security professional. As you browse through the screens and reports, one of the first things that you'll notice is that they present information in an easily consumable way. You don't need to be a network or IT security guru. In fact, in some regards, it's better if you aren't. Either way, this is a solid collaborative tool so - at some level - just about everyone can play and get solid benefit.
One of the real strengths of the EclecticIQ Platform is its ability to consume a wide variety of feeds, both open and closed source. On the closed source side, it works with Intel 471, giving it a solid actor-centric intelligence source. We are partial to Intel 471 since we have been using it in the SC Labs for more than a year. Having an actor-centric hub for threat analysis provides a wider look at the issues that surround the actor. For example, there are multiple types of actors in the underground. Some write code, some find zero-days, some sell exploits, some breach systems and steal credit, while others sell the cards. Fanning out from the actors one gets a good picture of their activities and the chains of events they trigger.
We dropped into the dashboard and, as one would expect, we got a broad picture of threat activity from the actor perspective. Then we took a look at the available feeds. We had several incoming feeds and we can add more. Drilling down we can adjust what feeds we have. EclecticIQ provides lots of feeds but if something is missing you can add your own. This is especially useful if you have a proprietary feed that your organization is generating.
Data fusion is extensive and given a starting point you can develop a solid picture of an actor's activities and how they might relate to your organization. We took an actor that has been in the news lately: CozyDuke. We not only got a graph that reminded us of a link analysis but we got several indicators of compromise that we could use to strengthen our defenses. CozyDuke is related to OnionDuke, so we took a bit of a side trip and got more IoCs, including some specific command-and-control information.
Of course we were concerned about what it was able to do in our environment. A little more drilling and we found ourselves in a full-fledged threat hunt. A new feature is the dif capability so we could see how the threat had progressed through our enterprise, if at all. That is just part of the ability the tool has to help you smarten up your analysis. There are a lot of enrichment options and you can create your own rules. With merge actions you can de-duplicate your data if you wish (you may have a reason not to, but mostly we like unique data for analysis purposes).
We really like this tool and we've been following it long enough that we feel comfortable designating it SC Lab Approved. We'll slot it into our threat hunting stack and add one more dimension to our analysis capabilities that appear in the Threat Hunter Blog.
At a Glance
Product EclecticIQ Platform
Price Depends on configuration.
What it does Cyber threat intelligence analysis.
What we liked This is a solid tool with a huge amount of capability in an analyst-centric user environment. We really like the large number of intelligence feeds that it can handle, its solid analysis capabilities and, especially, its use of STIX and TAXII.
The bottom line Even if you already have some threat analysis tools in your security stack, you should take a very close look at the EclecticIQ Platform. It is quite likely to add yet another dimension to your analysis, almost no matter what else you are using with it. Your threat intelligence analysts will love it. We make this SC Lab Approved for 2017.