When conducting a long time research, or when tracking threat groups, malware families, ransomware families, whatever it is, it makes things easier when we are able to have a good and solid platform to work with, so we can document any shred of relevant information and link between groups, people, victims and so on.
Part of our work as security researchers, especially if we are in the threat intelligence field, one of our main goals is to understand what is the story behind every group and every threat actor. History will very much often dictates the future and we need to predict that future.
Our purpose, by using OpenCTI, or any CTI platform for that matter, is to fill the picture as much as possible, look at it and see what the story we are telling to our clients, communities, whatever it is.
So lets start with some formal introduction to OpenCTI. OpenCTI (Open Cyber Threat Intelligence) is a platform that aims to provide a comprehensive and collaborative approach to cyber threat intelligence (CTI). It is an open-source project that was developed by the French national cyber security agency, ANSSI (Agence nationale de la sécurité des systèmes d’information).
OpenCTI’s capabilities are vast; This platform offers a range of features to support CTI analysts and incident responders in their work. These include:
- A flexible data model that can accommodate different types of CTI, such as indicators of compromise (IOCs), threats, attacks, campaigns, vulnerabilities, TTPs, and much more.
- A user-friendly interface for creating, managing, visualizing and linking CTI data.
- Collaboration tools, such as the ability to share CTI data with other users and to work on cases together.
- Integration with other tools and platforms, such as threat intelligence feeds, SIEMs (security information and event management systems), AlienVault and more.
- The ability to develop your our feed integration and use it with OpenCTI.
One of the key benefits of the OpenCTI platform is its focus on collaboration. It allows multiple users to work on the same cases, share their findings, and leverage the collective knowledge of the team. This can greatly improve the efficiency and effectiveness of CTI analysis and incident response – When it comes to my own projects and things I do in my free times such as writing this blog, I don’t get to tangle in major research that demands several people to work on, so currently my own OpenCTI is a private one.
In addition to its features for CTI analysts, the OpenCTI platform also has a number of benefits for organizations. For example, it can help organizations to better understand the threats they face, prioritize their efforts, and make informed decisions about their cybersecurity posture. It can also help organizations to demonstrate compliance with relevant cybersecurity regulations and standards.
Overall, the OpenCTI platform is a valuable tool for anyone involved in CTI analysis and incident response. Its open-source nature and focus on collaboration make it a powerful resource for organizations looking to improve their cybersecurity posture and protect themselves from cyber threats.
Technical Attributes
OpenCTI is based on several engines while the ones that we address more attention to are the GraphQL, STIX2.0 and Elastic. The idea is that each piece of information is stored as an entity using STIX2.0 standard. As every entity is a stand alone unit, we can connect several entities together to draw a clear picture.
For example, Let’s say we have a threat actor named KillerB, and he is related to a threat group named 69HoundDogs69 (you gotta have a few numbers and x’s of course for good measure). Using OpenCTI we can create a permanent link between the two and by doing so, anyone that will look for KillerB will find addition information and the fact that he is a part of 68HoundDogs69. This can also be used for linking vulnerabilities to a group, IOCs to a group, malware families, and much more.
I will upload an example in the future