OpenCTI: Open Cyber Threat Intelligence Platform

Last Release: 09/05/2019     Last Commit: 09/13/2019

OpenCTI: Open Cyber Threat Intelligence Platform

Introduction

OpenCTI is a platform that allows cyber security experts to share useful knowledge that may help in improving cyber security intelligence. It acts as a silo which is used to store all the important information that may be related to specific cyber threats. It handles both non-technical and technical details of a threat, it also organizes the information in a way that makes it easy to visualize.

This tool was originally developed by ANSSI, a French cyber security agency in partnership with CERT-EU, as a way of improving partnership interactions with regards to cyber security defense.

OpenCTI: Open Cyber Threat Intelligence Platform

As an open-source tool, OpenCTI has a modern design which allows it to make use of a variety of knowledge schemas in structuring data. All data is structured using the MITRE ATT&CK framework with reference to the STIX2 standards. The data can later be exported in the form of STIX2 bundles, CSV files, and other supported formats. It performs its basic operations by finding the links that exist between the available information. Therefore, it can effectively trace the root source of the given information.

This platform can also be used together with other tools such as TheHive, MISP, MITRE ATT&CK, etc. OpenCTI has the ability to form new relations on specific data types by inferring to the already existing information. It relies on a number of databases to perform its functions and all these are connected by GraphQL API which allows the brokers to interact with the available databases.

Through this platform cyber specialists have been able to improve the tactics deployed when dealing with cyber security threats. With the available information in its archives, cyber security experts can now effectively know how to handle cyber-related security threats. This has made the tool very useful in boosting the cyber security of various organizations.

Features

  • Has GraphQL API and an UX oriented frontend
  • Has automated reasoning(deploys deductive reasoning in identifying real-time associations)
  • Functions on a consistent unified data model
  • Relies on a knowledge graph(in identifying hyper-relationships)
  • Can perform correlation and exploration procedures
  • Manages how data is accessed
  • And so much more…

Supported platforms

  • Linux, Windows

Architecture

OpenCti Architecture
Source: OpenCTI Documentation

OpenCTI Install

The OpenCTI platform can be installed using different methods but the recommended one is the use of the docker-compose command.

Install via Docker

To install with docker simply clone respiratory buy running the following:

$ mkdir /path/to/your/app && cd /path/to/your/app 
$ git clone https://github.com/OpenCTI-Platform/docker.git
$ cd doker

Manual Install:

Installing OpenCTI manually is a bit involving and requires the installation of some prerequisites:

  • ElasticSearch 6.x.x
  • Node.JS 10+
  • RabbitMQ 3.7+
  • Grakn 1.5.7+
  • Redis 3.0+

To install prerequisites, run (Ubuntu):

$ sudo apt-get install nodejs npm python3 python3-pip

After installing all the prerequisites download the latest release and extract:

$ mkdir /path/to/your/app && cd /path/to/your/app
$ wget https://github.com/OpenCTI-Platform/opencti/releases/download/{RELEASE_VERSION}/opencti-release.tar.gz
$ tar xvfz opencti-release.tar.gz

Then configure JSON:

$ cd opencti 
$ cp config/default.json config/production.json
Important Note: Change the config/production.json file and default credentials according to your configuration.

Configure Connectors

Launching standalone connectors:

Use docker-compose.yml of the connector and download the latest release, after that run:

$ wget https://github.com/OpenCTI-Platform/connectors/archive/{RELEASE_VERSION}.zip 
$ unzip {RELEASE_VERSION}.zip
$ cd connectors-{RELEASE_VERSION}/misp/

To manually activate connectors you’ll need to donwload the connectors release, install dependencies and initialize the config:

$ pip3 install -r requirements.txt 
$ cp config.yml.sample config.yml

For further information and “getting started” guide, click on the ‘documentation’ button below.

Usage

When you open the platform for the first time, you’ll see the OpenCTI dashboard which will be filled up once you start importing data.

OpenCTI Dashboard
Documentation Box
Download Box