OpenCTI: Open-Source Cyber Threat Intelligence Platform

OpenCTI is an open-source platform designed to help organizations manage their cyber threat intelligence (CTI) data and observables.

The platform, developed by Filigran, builds its data using a knowledge schema built on the STIX2 standards. It features a modern web application architecture with a GraphQL API and a user-friendly front end.

OpenCTI incorporates with other tools and applications, such as MISP, TheHive, MITRE ATT&CK, etc. increasing its capability to serve as a central hub for cyber threat intelligence management.

The objective is to develop a comprehensive tool that facilitates users to effectively capitalize on technical (such as TTPs and observables) and non-technical information (such as suggested attribution, victimology etc.) hence ensuring that every piece of information is traceable back to its source.

Significant features include interlinking data points, tracking first and last-seen dates, assessing confidence levels, and other. It has been created in order to structure, store, organize and visualize technical and non-technical information about cyber threats. This empowers users to extract valuable insights and leverage meaningful knowledge from the raw data.

OpenCTI not only allows imports but also exports of data under diverse formats (CSV, STIX2 bundles, etc.). Connectors are presently developed to accelerate interactions between the tool and other platforms.

Also Read: How Blockchain Enhances Contract Security and Integrity in CLM Systems?

Editions of the Platform

OpenCTI platform has 2 different editions: Community (CE) and Enterprise (EE). The purpose of the Enterprise Edition is to provide additional and powerful features which require particular investments in research and development. You can enable the Enterprise Edition directly in the settings of the platform.

• OpenCTI Community Edition, licensed under the Apache 2, Version 2.0 license.
• OpenCTI Enterprise Edition, licensed under the Enterprise Edition license.

To understand what OpenCTI Enterprise Edition brings in terms of features, just check the Enterprise Editions page on the Filigran website. You can also try this edition by enabling it in the settings of the platform.

Use Cases of OpenCTI

The platform can be used in numerous contexts to handle threats management use cases from a technical to a more strategic level. OpenCTI has been designed as a knowledge graph, taking inputs (threat intelligence feeds, sightings & alerts, vulnerabilities, assets, artifacts, etc.) and generating outputs based on built-in capabilities and / or connectors.

Also Read: How AI Revolutionizes Backup, Recovery & Cybersecurity in IT?

Below are some examples of use cases:

• Cyber Threat Intelligence knowledge base
• Detection as code feeds for XDR, EDR, SIEMs, firewalls, proxies, etc.
• Incident response artifacts & cases management
• Vulnerabilities management
• Reporting, alerting and dashboarding on a subset of data

Image Credit:  https://docs.opencti.io/latest/usage/getting-started/

Welcome Dashboard

The welcome page gives any visitor on the OpenCTI platform an overview of what’s happening on the platform. It can be replaced by a custom dashboard, created by a user (or the default dashboard set up in a role, a group or an organization).

Indicators in the Dashboard

Numbers

Component	Description
Intrusion sets	Number of intrusion sets.
Malware	Number of malware.
Reports	Number of reports.
Indicators	Number of indicators.

Charts & lists

Component	Description
Most active threats (3 last months)	Top active threats (threat actor, intrusion set and campaign) during the last 3 months.
Most targeted victims (3 last months)	Intensity of the targeting tied to the number of relations targets for a given entities (organization, sector, location, etc.) during the last 3 months.
Relationships created	Volume of relationships created over the past 12 months.
Most active malware (3 last months)	Top active malware during the last 3 months.
Most active vulnerabilities (3 last months)	List of the vulnerabilities with the greatest number of relations over the last 3 months.
Targeted countries (3 last months)	Intensity of the targeting tied to the number of relations targets for a given country over the past 3 months.
Latest reports	Last reports ingested in the platform.
Most active labels (3 last months)	Top labels given to entities during the last 3 months.

Installation

All you need to install the OpenCTI platform can be found in the official documentation. For installation, you can:

• Use Docker
• Install manually
• Use Terraform (community)
• Use Helm charts (community)

Download

OpenCTI is available for free on GitHub. Entire components are shipped as Docker images and manual installation packages. For a production deployment, the developers recommend deploying all components in containers, containing dependencies, using native cloud services or orchestration systems such as Kubernetes.

References

https://github.com/OpenCTI-Platform/opencti

https://docs.opencti.io/latest

https://docs.opencti.io/latest/usage/getting-started