OpenCTI
Provide an understanding of the OpenCTI Project to process threat intel and assist analysts in investigating incidents.
Last updated
Provide an understanding of the OpenCTI Project to process threat intel and assist analysts in investigating incidents.
Last updated
OpenCTI is an open-sourced platform to allow organizations management of CTI through storage, analysis, visualization and presentation of threat campaigns, malware and IOCs. This tool is used for users to capataize on technical and non-technical information while developing relationships between information and its primary source. The platform can use MITRE ATT&CK framework to structure the data and can be integrated with other threat intel tools such as MISP and TheHive.
OpenCTI uses a variety of knowledge schemas to structure data such as STIX2 (Structured Threat Information Expression) which is a serialized and standardized language format user in TI exchange because it permits for data to be implemented as entities and relationships, tracing the origon of the information.
The following image illustrates the architectural lay out/structure:
The highlight services include:
GraphQL API: The API connects clients to the database and the messaging system.
Write workers: Python processes utilized to write queries asynchronously from the RabbitMQ messaging system.
Connectors: Another set of python processes used to ingest, enrich or export data on the platform to provide the application with a robust network of integrated systems and frameworks, creating threat intelligence relations allowing users to improve their defense tactics.
According to OpenCTI, connectors fall under the following classes:
Refer to the connectors and data model documentation for more details on configuring connectors and the data schema.
The opening dashboard displays various widgets summarizing threat data ingested into OpenCTI. Widgets showcase the current state of entities on the platform via the total number of entities, relationships, reports and observables ingested, and changes to these properties noted within 24 hours.
OpenCTI categorizes and presents entities under the Activities and Knowledge groups on the left-side panel. The Activities section covers security incidents ingested in the form of reports, making it easy for analysts to investigate these incidents while the Knowledge section provides linked data related to the tools adversaries use, targeted victims and type of threat actors and campaigns used.
The Analysis tab contains the input entities in reports analyzed and associated external references. Reports are central to OpenCTI as knowledge on threats and events are extracted and processed, allowing for easier identification of the source of information by analysts who can also add their investigation notes and external resources.
Security analysts investigate and hunt for events involving suspicious and malicious activities access their organizational network. Within the Events tab, analysts can record their findings and enrich their threat intel by creating associations for their incidents.
Technical elements, detection rules and artifacts identified during a cyber attack are listed under this tab: one or serveral identifiable makeup indicators. These elements assist analysts in mapping out threat events during a hunt and perform correlations between what they observe in their environments against the intel feeds.
All information classified as threatening to an organization or information would be classified under threats include:
Threat Actors: An individual or group of attackers seeking to propagate malicious actions against a target.
Intrusion Sets: An array of TTPs, tools, malware and infrastructure used by a threat actor against targets who share some attributes. APTs and threat groups are listed under this category on the platform due to their known pattern of actions.
Campaigns: Series of attacks taking place within a given period and against specific victims initiated by advanced persistent threat actors who employ various TTPs. Campaigns usually have specified objectives and are orchestrated by threat actors from a nation state, crime syndicate or other disreputable organization.
This tab lists all items related to an attack and any legitimate tools identified from the entities.
Malware: Known and active malware and trojan are listed with details of their identification and mapping based on the knowledge ingested into the platform. In our example, we analyze the 4H RAT malware and we can extract information and associations made about the malware.
Attack Patterns: Adversaries implement and use different TTPs to target, compromise, and achieve their objectives. Here, we can look at the details of the Command-Line Interface and make decisions based on the relationships established on the platform and navigate through an investigation associated with the technique.
Courses of Action: MITRE maps out concepts and technologies that can be used to prevent an attack technique from being employed successfully. These are represented as Courses of Action (CoA) against the TTPs.
Tools: Lists all legitimate tools and services developed for network maintenance, monitoring and management. Adversaries may also use these tools to achieve their objectives. For example, for the Command-Line Interface attack pattern, it is possible to narrow down that CMD would be used as an execution tool. As an analyst, one can investigate reports and instances associated with the use of the tool.
Vulnerabilities: Known software bugs, system weaknesses and exposures are listed to provide enrichment for what attackers may use to exploit and gain access to systems. The Common Vulnerabilities and Exposures (CVE) list maintained by MITRE is used and imported via a connector.
Entities
This tab categorizes all entities based on operational sectors, countries, organizations and individuals. This information allows for knowledge enrichment on attacks, organizations or intrusion sets.
What is the name of the group that uses the 4H RAT malware?
What kill-chain execution phase is linked with the Command-Line Interface Attack Pattern?
Within the Activities category, which tab would house the Indicators?
Day-to-day usage of OpenCTI involves navigating through different entities to understand and utilize the information for any threat analysis. When an intelligence entity is selected, the details are presented to the user:
Overview Tab: Provides the general information about an entity being analyzed and investigated. In our case, the dashboard will present you with the entity ID, confidence level, description, relations created based on threats, intrusion sets and attack patterns, reports mentioning the entity and any external references.
Knowledge Tab: Presents linked information associated with the entity selected. This tab will include the reports associated, indicators, relations and attack pattern timeline of the entity. Additionally, an analyst can view fine-tuned details from the tabs on the right-hand pane, where information about the threats, attack vectors, events and observables used within the entity are presented.
Analysis Tab: Provides the reports where the identified entry has been seen. The analysis provides usable information about a threat and guides investigation tasks.
Indicators Tab: Provides information on IOC identified for all the threats and entities.
Data Tab: Contains the files uploaded or generated for export that are related to the entity. These assist in communicating information about threats being investigated in either technical or non-technical formats.
History Tab: Changes made to the element, attributes, and relations are tracked by the platform worker and this tab will outline the changes.
What Intrusion sets are associated with the Cobalt Strike malware with a Good confidence level? (Intrusion1, Intrusion2)
Who is the author of the entity?
As a SOC analyst, you have been tasked with investigations on malware and APT groups rampaging through the world. Your assignment is to look into the CaddyWiper malware and APT37 group. Gather information from OpenCTI to answer the following questions.
What is the earliest date recorded related to CaddyWiper? Format: YYYY/MM/DD
Which Attack technique is used by the malware for execution?
How many malware relations are linked to this Attack technique?
Which 3 tools were used by the Attack Technique in 2016? (Ans: Tool1, Tool2, Tool3)
What country is APT37 associated with?
Which Attack techniques are used by the group for initial access? (Ans: Technique1, Technique2)
| Class | Description | Examples |
|---|---|---|
External Input Connector
Ingests information from external sources
CVE, MISP, TheHive, MITRE
Stream Connector
Consumes platform data stream
History, Tanium
Internal Enrichment Connector
Takes in new OpenCTI entities from user requests
Observables enrichment
Internal Import File Connector
Extracts information from uploaded reports
PDFs, STIX2 Import
Internal Export File Connector
Exports information from OpenCTI into different file formats
CSV, STIX2 export, PDF
