Cyware Threat Response Docker: A Threat Intel Analyst’s Swiss Army Knife
Threat Response Docker • May 11, 2021
We use cookies to improve your experience. Do you accept?
Threat Response Docker • May 11, 2021
Introduction
Today’s threat intelligence scenario is diverse, with various tools and techniques used by analysts for an investigation of threat data. A lot of these tools are becoming automation-centric and taking over important aspects of the threat intelligence lifecycle.
Tools that combine intelligence from diverse sources are witnessing quick adoption, as automation allows analysts to streamline and orchestrate multiple tasks. Orchestration increases efficiency, reduces burnout, and gives analysts a vast perspective of the threat environment.
For effective security orchestration, an analyst needs the right combination of tools to ensure that threat data passes smoothly from one stage to another. To solve this, we at Cyware have created theCyware Threat Response Docker.
The Cyware Threat Response Docker is a lightweight Docker image packaged with the latest tools to help analysts efficiently analyze data by stringing together multiple tools in one place, which can be set up in less than 100 seconds.
Here is the image to install, along with the installation instructions.
What is a Docker?
Docker is a tool designed to run applications using containers easily. These containers let us run various applications and their dependencies and deploy them as a single package. By doing so, the application will run on any system with Docker installed, regardless of any customized settings on the system that could differ from the system used for writing and testing the code.
Dockers vs. Virtual Machines
A common myth is that a Docker and a virtual machine are the same. But unlike a virtual machine, rather than creating a whole virtual operating system, dockers allow applications to use the same Linux kernel as the system they're running on and only require applications to be shipped with things not already running on the host computer. This gives a significant performance boost and reduces the size of the application.
Docker also gives extensible storage and memory, as a Docker image occupies only the required storage and memory, promoting scalability and efficiency.
An alternative to Docker is creating a virtual machine (Eg. Kali Linux) loaded with the same tools. The advantages of using a Docker image over a virtual machine are:
Docker images load faster than a virtual machine.
Dockers do not have constraints on computer resources. In essence, the Docker image uses only as much space and memory as it requires.
A Docker image to the cloud, enabling centralized intelligence management.
Using an open-source Docker image like the Cyware Threat Response Docker, an analyst gets tools and resources constantly updated by both maintainers and the vast open-source community.
Why do we need a Docker in threat intelligence?
Effective threat intelligence processes today use multiple tools and frameworks. Setting up all of these tools on a machine may burden the host system and cause dependencies to fail. Replacement of important packages can also cause other critical functions to fail. Frameworks packaged within a Docker image effectively solve this problem.
With a fully loaded Docker image, an analyst can easily set up their work environment on any system without burdening the host system. Packed with the right tools, Docker plays a crucial role in threat intelligence by helping analysts orchestrate various routine tasks, increasing efficiency, and reducing burnout.
Cyware Threat Response Docker
Cyware Threat Response Docker is a packaged collection of open-source threat intelligence tools to automate and orchestrate various threat intelligence tasks, such as data collection, extraction, enrichment, and others.
This Docker image can be easily pulled from Docker Hub and set up in less than 100 seconds. By utilizing this Docker image, an analyst can automate workflows, confidently set up and test new tools and frameworks, analyze any malicious software safely, and once done, can export the results and discard the image to free up all the resources it used.
Owing to the unique set of tools present in the Cyware Threat Response Docker, an analyst can also write custom scripts and orchestrate tasks too! For example, an analyst can combine the feed collector tool and indicator enrichment present in the Docker image to automatically enrich indicators received by the analyst.
They can also use the inbuilt TAXII client to subscribe to a TAXII server of their choice or even use the TAXII server to create their TAXII feed.
These are just a few of the things an analyst can do with the Cyware Threat Response Docker. With over 31 tools categorized into five categories and additional frameworks such as Python, git, and apt, an analyst can easily build orchestrations for their specific use cases.
Installation
Installation of this Docker image is effortless. The following commands can easily set up the image on your Docker-enabled system.
docker run -dit --name trd -p 8081:80 cylabs/cy-threat-response
docker exec -it trd bash
For a more detailed view, visit our GitHub page here.