Best Practices: Cross-Owner Associations
  • 26 Oct 2022
  • 5 Minutes to read
  • Dark
    Light

Best Practices: Cross-Owner Associations

  • Dark
    Light

Minimum Role: Organization role of Read Only User to view associations; Organization role of Standard User to create and modify associations

Prerequisites: Cross-owner associations enabled by a System Administrator (for creating associations between Groups and Indicators in your Organization and Groups and Indicators in Communities and Sources to which you have access)

Overview

When cross-owner associations are enabled on your ThreatConnect® instance, you can create associations between threat intelligence objects across all owners (i.e., Organizations, Communities, and Sources) to which you have access. Creating these associations allows for greater visualization and insight into all of the data you have access to and enables you to build a threat library more efficiently. Following are some best practices for using the cross-owner associations feature in ThreatConnect.

Note
The best practices outlined in this article apply to the iteration of cross-owner associations introduced in ThreatConnect version 6.7 and may be superseded by product improvements introduced in later versions.

Best Practices

Create Associations Between “Like Terms”

  • Create associations between Groups in different owners that share a known alias. For example, if an APT28 Intrusion Set belongs to the MITRE ATT&CK® Source and a Fancy Bear Adversary Group belongs to your Organization, it can be helpful to create an association between these two Groups because they share a known alias.
  • If you are a Super User, create associations between “like terms” across Organizations on your ThreatConnect instance. For example, as a Super User, you can see all occurrences of a particular Malware Family in all Organizations on your ThreatConnect instance and then create associations between the corresponding objects. Only Super Users can view and create these associations, as non–Super Users will only have access to the objects in the Organization in which their user account exists.

Create A Central Repository for Associations in Your Organization

  • When working with objects like Attack Patterns, Threat Actor Profiles, Malware Families, Vulnerabilities, Tools, and Tactics, create a primary Group in your Organization and then associate that Group to its counterparts in the Communities and Sources to which you have access. Doing so will provide you with a central repository in your Organization where you can access all objects and data corresponding to the Attack Pattern, Threat Actor Profile, Malware Family, Vulnerability, Tool, or Tactic.
  • Create associations between ATT&CK® Techniques in different owners to create a single location from which you can access all objects linked to a given Technique. In some cases, an Attack Pattern Group containing the ATT&CK Technique’s ID number (e.g., T1548) may exist in one owner, while an Attack Pattern Group containing the ATT&CK Technique’s name (Abuse Elevation Control Mechanism) may exist in a different owner. In this scenario, it can be helpful to create an association between the two Groups because they correspond to the same ATT&CK Technique.
  • Create associations between Indicators that belong to multiple owners. Each owner can have a single copy of an Indicator, so associating an Indicator that belongs to your Organization to the same Indicator that belongs to a Community or Source can provide additional insights into the Indicator and help build out its threat profile.

Supported Object Types for Cross-Owner Associations

The first iteration of cross-owner associations focuses on creating associations between Groups and Indicators that belong to your Organization and those that belong to Communities and Sources to which you have access. You can also create associations between Workflow Cases in your Organization and Groups and Indicators in any owner to which you have access; however, cross-owner associations are not supported for Artifacts, Tags, or Victim Assets at this time.

Areas Where You Can View and Create Cross-Owner Associations

There are several areas in ThreatConnect where you can view and create cross-owner associations, including the following:

You can also view associations across owners for a Group, Indicator, or Case when using the Explore In Graph feature (also known as Threat Graph).

When to Use the “Copy to My Org” Feature Instead of Creating a Cross-Owner Association

Cross-owner associations reduce the need to use ThreatConnect’s Copy to My Org feature to create a copy of a Group in a Community or Source in your Organization so that you can associate objects in your Organization to the Group. In this scenario, you can now leverage cross-owner associations to associate the Group that exists in the Community or Source to the desired object(s) in your Organization, eliminating the need to copy the Group to your Organization.

However, if you want to copy a set of Attributes or Tags added to a Group in a Community to your Organization, the Copy to My Org feature will be more advantageous, as associating the Group to an object in your Organization will not copy those pieces of metadata to your Organization.

Permissions for Cross-Owner Associations

To create an association between two objects that belong to different owners, you must have access to, and hold the appropriate permissions in, each owner. Likewise, if an association exists between two objects in different owners, you must have access to each owner in order to be able to view the association. For example, if you create an association between an Indicator in your Organization and an Indicator in a Source to which you have access, users in your Organization who do not have access to the Source will not be able to view the association.

Enabling and Disabling Cross-Owner Associations

In ThreatConnect version 6.7, cross-owner associations are disabled by default. To enable cross-owner associations on your ThreatConnect instance, contact your System Administrator.

If cross-owner associations are disabled after being enabled previously, you can still view and remove cross-owner associations created while this feature was enabled. However, you will not be able to create new cross-owner associations.


ThreatConnect® is a registered trademark of ThreatConnect, Inc.
MITRE®, ATT&CK®, and MITRE ATT&CK® are registered trademarks of The MITRE Corporation.

20076-14 v.01.A


Was this article helpful?