22 Jul Open sourcing the opencti platform
Cyber threat intelligence within an organization or an industry has become more and more important in recent years and is now a key focus in many areas of cybersecurity. Adapting intrusion detection systems, building relevant red team scenarios, guiding incident response activities, providing a more effective risk assessment through better knowledge of threat agents: all of these require a deep understanding of the issues related to the cyber threats and its associated human and technical elements.
In such context, it has become more necessary for organizations with capacity in this area to better organize its knowledge of the threats which may target them. However, this capitalization and analysis approach cannot be limited to indicators of compromise and observables only. While essential, they are proved themselves insufficient when it comes to take more challenges than just detection or hunting.. This is precisely the void that OpenCTI intends to fill: a unified platform gathering both technical and non-technical information materializing cyber threats such as campaigns, tactics, malicious codes, victims and associated observables.
Foundations and original approach
The specifications of the platform are built on several observations and problems encountered during the day to day work of a CTI analyst and which OpenCTI is to answer.
When information related to cyber threats is scattered across a variety of media and mostly stored in unstructured formats:
The platform is able to store a large amount of information from multiple sources, in different formats, and organize them in a structured and actionable manner.
When information is available and accessible to the analyst but knowledge about a threat is poorly sourced or poorly dated:
The platform is able to source and date each relationship or link between two entities by referencing the reports or investigations that led to its establishment.
When knowledge is finally reached, it is difficult to share it without written reports or a list of technical indicators:
The platform is able to import and export structured knowledge across all types of entities and relationships, while specific maintaining trust levels to each information source.
When It is difficult and often time consuming to achieve a quantitative and qualitative view of a threat or target such as a business sector.
The platform is able to provide features to visualize in detail each piece of information and its implications as well as tools of visualization and quantitative analysis.
Data model choices and associated softwares
While OpenCTI ought to respond the aforementioned imperatives, it also covers the daily needs of the CTI analysts and their beneficiaries. Many kinds of productions already exist and can be easily incorporated. Intrusion sets identity cards, diamond models, kill chains, tactics and procedures matrices, chronologies of campaigns and victims: all of these deliverables have common elements that can be found in the STIX2 model proposed by the non-profit consortium OASIS.
Yet this model remains complex to implement rigorously in a database as it implies in fact notions of entities, relations, sub-entities and nested relations (such as for instance the property object_refs of the entity report is a relationship from a report to multiple entities or relationships, indicating the need to point a relationship to another relationship).
The OpenCTI data model is therefore based on the STIX2 reference, enriched with multiple attributes and entity types, and has been propelled into the Grakn open source database, which implements a knowledge hypergraph based on the entity-relationship model. . The choice fell on this technology after several partly successful trials on MongoDB and Neo4J, especially because of the need to create relationships towards any type of “object“, entities as relations.
At last, we would like to thank the Grakn team for their great support during the development of the first version of the platform. They were constantly open minded, attentive and particularly responsive to our regular features requests or integration questions. Without this and the impressive features of their product, the OpenCTI platform would not have all the possibilities it offers today.
Medium term objectives
You can find our future objectives in terms of development iterations for the OpenCTI platform in the strategic roadmap of the product. They mainly resolve around:
- integration with other platforms and products;
- improved import and export functionality;
- data enrichment;
- visualization and analysis capabilities
- investigation and correlation engine based on graphing algorithms.
Authors of the project
The OpenCTI project is jointly developed by ANSSI and CERT-EU, with the help of the community. Luatix is just an organization of volunteers from all walks of life beyond these two organizations who wish to participate in this project (as in others).