At Crimson7, I found myself needing to delve into Threat Intelligence. A quick internet search revealed that OpenCTI is rapidly emerging as the leading platform in this field.
The beauty of OpenCTI is that it allows you to collect, ingest, and correlate data, as well as automate processing to present and consume aggregated data from different sources in the way you want. At C7, we're focused on threat-informed security. Rather than just IoCs and millions of indicators to consume in a SoC, we need to understand how actors operate and what TTPs (or Attack Patterns, to use OpenCTI terminology) are used in campaigns and attacks. We're after Attack Intelligence—we're rebuilding these attacks. Let's wrap up the corporate talk with one last piece of info: if you're planning to dive into CTI and are looking for an open (hopefully for a long time) and beautifully engineered platform, consider this—Filigran, the company behind OpenCTI, just secured a Series A funding of $15 million.
OpenCTI can be easily deployed using Docker containers. It's straightforward: just browse the documentation, fetch the docker-compose.yaml file, and customize the .env file. However, a real deployment should consider two key factors:
While this setup falls short of a perfect clustered deployment with distributed Redis, RabbitMQ, and ingestion clusters as recommended by Filigran, it offers a pragmatic solution. Though confined to a single server and not truly clustered across multiple systems, still with 4 Elasticsearch nodes on containers, at least saves you from headaches. This configuration provides an acceptable performance with robust storage capabilities, albeit with an expected decrease in processing and ingestion speed compared to a fully clustered deployment.
💡 I have to admit that I reached 40/s processed bundles, 62M of documents, which is not bad at all and makes me very satisfied. Navigation through the data is blazing fast.
The step by step full article, the docker-compose files, the how to ingest decent 'free' intelligence (from MISP, Alienvault, NIST, etc.) and all the knowledge and tips collected during a couple of sleepless nights are on this blog article: FULL ARTICLE (HOW TO)
Hope it helps starting with CTI and enjoy OpenCTI. Start thinking about Attack Patterns and Intelligence.