OpenCTI – Open Cyber Threat Intelligence Platform

OpenCTI Logo - Open Cyber Threat Intelligence Platform xploitlab

In cyber world there is many threat and attack, not just ordinary attack but many cyber attack that aimed important things, For example, DDOS attack to important server. Because now with development of technology all the services we can get online, imagine if the online services servers is down then everything is can be out of control. This is how important it is to goverments or online services companies to understand and find out the cyber threat.

Introduction

OpenCTI is an open source platform allowing organizations to manage their cyber threat intelligence knowledge and observables. It has been created in order to structure, store, organize and visualize technical and non-technical information about cyber threats.

The structuration of the data is performed using a knowledge schema based on the STIX2 standards. It has been designed as a modern web application including a GraphQL API and an UX oriented frontend. Also, OpenCTI can be integrated with other tools and applications such as MISPTheHiveMITRE ATT&CK, etc.

OpenCTI Architecture - Open Cyber Threat Intelligence Platform xploitlab
OpenCTI Architecture

Objective

The goal is to create a comprehensive tool allowing users to capitalize technical (such as TTPs and observables) and non-technical information (such as suggested attribution, victimlogy etc.) while linking each piece of information to its primary source (a report, a MISP event, etc.), with features such as links between each information, first and last seen dates, levels of confidence etc. The tool is able to use the MITRE ATT&CK framework (through a dedicated connector) to help structure the data. The user can also chose to implement its own datasets.

Once data has been capitalized and processed by the analysts within OpenCTI, new relations may be inferred from existing ones to facilitate the understanding and the representation of this information. This allow the user to extract and leverage meaningful knowledge from the raw data.

OpenCTI not only allows imports but also exports of data under different formats (CSV, STIX2 bundles, etc.). Connectors are currently developped to accelerate interactions between the tool and other platforms.

Documentation and demonstration

If you want to know more on OpenCTI, you can read the documentation on the tool. If you wish to discover how the OpenCTI platform is working, a demonstration instance is available and open to everyone. This instance is reset every night and is based on reference data maintened by the OpenCTI developers.

OpenCTI Graph - Open Cyber Threat Intelligence Platform xploitlab

Releases download

The releases are available on the Github releases page. You can also access to the rolling release package generated from the mater branch of the repository.

Installation

All you need to install the OpenCTI platform can be found in the official documentation. For installation, you can:

Docker Installation

Clone the repository

mkdir /path/to/your/app && cd /path/to/your/app
git clone https://github.com/OpenCTI-Platform/docker.git
cd docker 

Configure the environment

Before running the docker-compose command, please change the admin token (this token must be a valid UUID) and password of the application in the file docker-compose.yml:

- APP__ADMIN__PASSWORD="insert password"
- APP__ADMIN__TOKEN="insert token"

And change the variable OPENCTI_TOKEN (for worker-import and worker-export) according to the value of APP__ADMIN__TOKEN

– OPENCTI_TOKEN=”insert token”

As OpenCTI has a dependency to ElasticSearch, you have to set the vm.max_map_count before running the containers, as mentioned in the ElasticSearch documentation.

sysctl -w vm.max_map_count=262144

Run OpenCTI with docker

docker-compose –compatibility up

You can now go to http://localhost:8080 and log in with the credentials configured in your environment variables.

Read all docker installation here

Manual installation

Prerequisites

  • Node.JS (>= 10)
  • Grakn (>= 1.5.7)
  • Redis (>= 3.0)
  • ElasticSearch (== 6.x.x)
  • RabbitMQ (>= 3.7)

Prepare the installation

Installation of dependencies

You have to install all the needed dependencies for the main application and the workers. The example below if for Ubuntu:

sudo apt-get install nodejs npm python3 python3-pip

Download and extract the latest release application file.

mkdir /path/to/your/app && cd /path/to/your/app
wget https://github.com/OpenCTI-Platform/opencti/releases/download/{RELEASE_VERSION}/opencti-release.tar.gz
tar xvfz opencti-release.tar.gz 

Read all manual installations step here.

Community

Status & bugs

Currently OpenCTI is under heavy development, if you wish to report bugs or ask for new features, you can directly use the Github issues module.

Discussion

If you need support or you wish to engage a discussion about the OpenCTI platform, feel free to join us on our Slack channel. You can also send us an email to [email protected].

About

OpenCTI is a product powered by the collaboration of the French national cybersecurity agency (ANSSI), the CERT-EU and the Luatix non-profit organization.


You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *

nineteen − 1 =