A few months back, Anomali released a set of SDKs that greatly expanded our ability to deliver content within the platform, and with integrated systems. One of those SDKs – focusing on enrichments – was introduced to provide a straightforward means for adding contextual information.
In the threat intel world, enrichment has traditionally meant adding context to indicators in the form of network information (DNS, whois, GeoIP, ASN, certificate info, etc.) and reputation services (e.g. “scoring” indicators for risk). These will continue to be important data points used in threat analysis, and the Enrichment SDK will provide expanded choice for providers of this information.
But the TIP market has long since evolved to the point where this basic enrichment is commonplace, and a standard requirement for most organizations. So, when I first got my hands on the Enrichment SDK, my mind immediately jumped to all the possibilities this would open up. Obviously, my next step was to write an app that tells you the weather based on the geolocation of a given IP!
Because, as we all know, it rains a whole lot in Chongqing, China. So if it’s sunny then the hackers won’t be working. Am I right? This is totally ridiculous and flawed on more levels than I can count, but I hope it helps prove my point: Don’t be bound by the traditional notions of what an enrichment is. Here are a few (slightly more useful) examples of what I mean. Each of the referenced examples have been proven out using our SDK.
- Enrichments can be self-contained: A domain spinning app for generating typosquats, bitsquats, etc. that never even calls a third-party service. The logic is entirely self-contained. Example: dnstwist.
- Unlock your own data: Don’t be limited to information that will be the same for everyone. Want to know if an observable is present in any past security incidents? Example: ServiceNow.
- Simplify the presentation of complex data: Certain enrichment information has typically been difficult to consume because of the type of data being returned (e.g. timeseries data, distinct data elements, etc). Example: Openports
The platform and the SDK were specifically built to allow for this flexibility. By necessity, that meant the SDK is:
- Simple: A well-documented framework and examples allow for the quick development of new enrichment apps. Each activated enrichment is presented as if it was a native to the platform - just activate and decide how you want to use it. No configuring workflows or data flows, no endless customization.
- Flexible: Choose how granular the functions are. In the weather app, you have the choice to pull back specific queries (wind, humidity, etc). Want the combo meal? You can use “Recipes” to string together a series of enrichments, both saving time and improving the completeness of analysis. To support the varied human elements, we must give the option of both a la carte and the combo meal.
- Integrated: Enrichment information must be integrated into the platform in a way that makes it actionable. Enrichments are present in two places within the Anomali platform – observables details page and the explore graph. Certain enrichments make most sense presented as pivots in a graph, while others may return a series of data best presented in a table on the details page. Some make sense in both.
With our new investigations functionality, context is part of the graph/link analysis and becomes available for integration to other systems. Want to further enrich enrichment data? Simple, just continue to pivot. Want to import newly identified indicators? Add them to an import individually, using multiselect, or all at once.
Further, the SDK partner program was developed in a similar fashion to our existing APP store. This means users of the platform will regularly see new enrichments become available, while those with a narrower focus can remain restricted to specific organizations.
Ultimately, our SDKs provide an open and integrated ecosystem that allow customers to realize more value from Anomali and our partners. For more information on how we’ve worked with partners to deliver this functionality, see our recent blog with Silobreaker.
For more information visit our APP Store page.
Topics:Threat Intelligence Platform