Skip to content

Home

Jump to bottom
stmtstk edited this page Jan 22, 2024 · 17 revisions

Seamless Threat Intelligence Platform (S-TIP)

Seamless Threat Intelligence Platform enables better incident response and information sharing, which brings down barriers between separate practices of CTI sharing.

S-TIP is built around a very simple, but extremely powerful concept - Convert whatever CTI into a STIX file or a set of STIX files, send them around, and create different views dynamically from those STIX files.

STIX/TAXII Support

  • STIX 1.1/1.2/2.0/2.1
  • TAXII 1.1/2.0/2.1 Client and TAXII 1.1/2.1 Server

S-TIP Architecture

S-TIP consists of four main modules,

  1. Common
  2. RS
  3. SNS
  4. GV

and two optional modules for TAXII 1.1 and 2.1 Servers.

  1. TXS (TAXII 1.1 Server)
  2. TXS2 (TAXII 2.1 Server)

This article explains the four main modules. The following figure shows how those modules are organized to form S-TIP as a whole.

S-TIP Architecture

1. Common

Common hosts common functionalities for other S-TIP modules

2. RS (Repository System)

RS is the store and transport hub of STIX files. It uses MongoDB to store STIX 1.x and STIX 2.x data. RS serves as a TAXII client. RS as a TAXII client can connect to TAXII servers to download STIX files. (RS also serves as TAXII server with using opentaxii.)

RS List view

Adapters for CTI sources / 3rd party tools

  • AlienVault OTX
  • MISP
  • iSIGHT Partners

DHS AIS Support

S-TIP TAXII Client supports for receiving STIX from DHS AIS (Automated Indicator Sharing) program.

REST API

See the REST API.

3. SNS (Social Networking Service)

SNS provides a social media interface for human users. It uses bootcamp internally.

screenshot

Important to note is that there are both Human CTI and System CTI in the same timeline.

User creates a new post with Title/Content/Attachment files(e.g. CSV of indicators)/TLP/Sharing Range. The post is automatically converted to a STIX file and accumulated into RS.

CTI Element Extractor

 S-TIP tries to extract IoCs and other elements like CVEs from the post and its attachments. Currently, it extracts

  • Domain names
  • Email addresses
  • File names
  • IPv4 addresses
  • MD5/SHA1/SHA256/SHA512/ hash values
  • URLs

TLP

 The TLP (Red/Amber/Green/White) is saved into the STIX.

Sharing Range

 Sharing Range is not saved in STIX. This is for sharing with other users in the S-TIP instance.

Third Party Tool Integration

  • MISP (Malware Information Sharing Platform)
  • Slack
  • JIRA
  • Splunk
  • Phantom

4. GV (Graph View)

GV is a CTI Graph Analytics View.

It visualizes STIX as CTI connected graph. Nodes are STIX elements like Indicators/Observables/Threat Actors/TTPs/Exploit Targets/Course of Actions/Campaigns.

When the user selects a specific STIX, S-TIP automatically searches related STIX stored in RS and lists them. Related STIXs are linked to each other through thick links. (In the below diagram, Each STIX has the same IPv4 address as an indicator).

GV

Supported Clients

  • Windows 11
Chrome: 120.0.6099.225
Edge: 120.0.2210.144 
FireFox: 121.0.1
  • MacOS 14.2.1
Chrome: 120.0.6099.234
Safari: 17.2.1
  • Ubuntu 22.04
Chrome: 120.0.6099.224
FireFox: 121.0.1
Clone this wiki locally