Best Practices: Cross-Owner Associations

Overview

When cross-owner associations are enabled on your ThreatConnect^® instance, you can create associations between threat intelligence objects across all owners (i.e., Organizations, Communities, and Sources) to which you have access. Creating these associations allows for greater visualization and insight into all of the data you have access to and enables you to build a threat library more efficiently. Following are some best practices for using the cross-owner associations feature in ThreatConnect.

Best Practices

Create Associations Between “Like Terms”

• Create associations between Groups in different owners that share a known alias. For example, if an APT28 Intrusion Set belongs to the MITRE ATT&CK^® Source and a Fancy Bear Adversary Group belongs to your Organization, it can be helpful to create an association between these two Groups because they share a known alias.
• If you are a Super User, create associations between “like terms” across Organizations on your ThreatConnect instance. For example, as a Super User, you can see all occurrences of a particular Malware Family in all Organizations on your ThreatConnect instance and then create associations between the corresponding objects. Only Super Users can view and create these associations, as non–Super Users will only have access to the objects in the Organization in which their user account exists.

Create A Central Repository for Associations in Your Organization

• When working with objects like Attack Patterns, Threat Actor Profiles, Malware Families, Vulnerabilities, Tools, and Tactics, create a primary Group in your Organization and then associate that Group to its counterparts in the Communities and Sources to which you have access. Doing so will provide you with a central repository in your Organization where you can access all objects and data corresponding to the Attack Pattern, Threat Actor Profile, Malware Family, Vulnerability, Tool, or Tactic.
• Create associations between ATT&CK^® techniques in different owners to create a single location from which you can access all objects linked to a given technique. In some cases, an Attack Pattern Group whose summary contains the ATT&CK technique’s ID number (e.g., T1548) may exist in one owner, while an Attack Pattern Group whose summary contains the ATT&CK technique’s name (Abuse Elevation Control Mechanism) may exist in a different owner. In this scenario, it can be helpful to create an association between the two Groups because they correspond to the same ATT&CK technique.
• Create associations between Indicators that belong to multiple owners. Each owner can have a single copy of an Indicator, so associating an Indicator that belongs to your Organization to the same Indicator that belongs to a Community or Source can provide additional insights into the Indicator and help build out its threat profile.

Supported Object Types for Cross-Owner Associations

The first iteration of cross-owner associations focuses on creating associations between Groups and Indicators that belong to your Organization and those that belong to Communities and Sources to which you have access. You can also create associations between Artifacts and Workflow Cases in your Organization and Groups and Indicators in any owner to which you have access; however, cross-owner associations are not supported for Tags or Victim Assets at this time.

Areas Where You Can View and Create Cross-Owner Associations

There are several areas in ThreatConnect where you can view and create cross-owner associations, including the following:

• The Associations tab of an Indicator’s or Group’s Details screen
  
• The Associations card of an Indicator’s or Group’s legacy Details screen, either in graph view or table view
• The Associations card and Potential Associations card in a Workflow Case
  Note

  An Organization Administrator must enable potential Case associations for a Community or Source in order for its Indicators and Groups to be suggested as potential associations to a Case.
• When using the ThreatConnect v3 API to interact with Groups, Indicators, or Cases

You can also view associations across owners for Groups, Indicators, and Cases when using Threat Graph.

When to Use the “Copy to My Org” Feature Instead of Creating a Cross-Owner Association

Cross-owner associations reduce the need to use ThreatConnect’s Copy to My Org feature to create a copy of a Group in a Community or Source in your Organization so that you can associate objects in your Organization to the Group. In this scenario, you can now leverage cross-owner associations to associate the Group that exists in the Community or Source to the desired object(s) in your Organization, eliminating the need to copy the Group to your Organization.

However, if you want to copy a set of Attributes or Tags added to a Group in a Community to your Organization, the Copy to My Org feature will be more advantageous, as associating the Group to an object in your Organization will not copy those pieces of metadata to your Organization.

Permissions for Cross-Owner Associations

You can create cross-owner associations if you have an owner role with editing permissions in one of the owners and an owner role with at least viewing permissions in the other.

To view an association between two objects in different owners, you must have an owner role with at least viewing permissions in both owners. For example, if an association exists between an Indicator in an Organization and a Group in a Source, users in the Organization without viewing permissions in the Source will not be able to view the association.

Enabling and Disabling Cross-Owner Associations

To enable or disable cross-owner associations on your ThreatConnect instance, contact your System Administrator. If cross-owner associations are disabled after being enabled previously, you can still view and remove cross-owner associations created while this feature was enabled. However, you will not be able to create new cross-owner associations.

ThreatConnect^® is a registered trademark of ThreatConnect, Inc.
MITRE ATT&CK^® and ATT&CK^® are registered trademarks of The MITRE Corporation.

20076-14 v.02.B