Yeti is a relatively new player in the threat intel platform game. How does it fit in with all the other tools that are out there? FAME? FIR? MISP? TheHive? Let’s have a look.
Yeti is a social animal
It might not be known to most cryptozoologists, but Yeti is a social animal. Sure, it may be good enough as a threat actor encyclopedia, but there’s so much more you can do with it!
Yeti’s ideal world is a world where all its features are put to good use. That includes data-oriented features such as feeds, analytics and exports, but also more high-level information such as describing TTPs and tying them to different actors. FAME and FIR, by the awesome CERT Société Générale team have features that allow them to work closely with Yeti, both pushing and pulling information.
The FIR - FAME - Yeti triad
Besides being an extensible incident management platform, FIR parses any observables present in an incident’s description or comments and sends them to Yeti to see what it knows about them, displaying any matches. On the other hand, unrecognized observables can be pushed to Yeti and tagged.
FAME is also closely integrated with Yeti. Whenever observables are extracted from a sample (through one of FAME’s many modules), they are matched against what Yeti knows and results are shown in the FAME analysis result page. Unknown observables, once again, can be tagged and pushed to Yeti so that association can be quickly made with other submitted samples.
This is probably one of the best ways you can setup Yeti in your day-to-day incident response workflow. This setup works particularly well with teams that have dedicated rotations to each task (threat intelligence, incident management, malware analysis, etc.).
Interaction with other services
Yeti is one of the many tools to have been released more or less recently that aim to make threat intelligence management easier. There’s a very large combination of tools with allow you to compile feeds data and enrich it, achieving a similar result to the one described above.
The good news is that Yeti is very flexible in that way, and having both feeding and exports capabilities, can easily be plugged in your existing ecosystem. Yeti is very likely complimentary to other systems that already exist and will give you a different approach on your data and the intelligence analysis you might carry out on it.
MISP can be used as a feed to Yeti, propagating information from the MISP communities you’re connected to directly to your defense systems in a way they can understand them. TheHive, (or rather, Cortex) can use Yeti as a source of enrichment for network artifacts.
Extending Yeti to your needs
It’s alto worth noting that Yeti was designed with modularity in mind. It’s fairly easy to create new feeds, analytics and exports. Yeti’s full system can also be leveraged via the HTTP API so interacting with it from other tools or even the command-line should be pretty straightforward. Python bindings to the HTTP API (work in progress) are available in the pyeti repository.