Open in app

Sign in

Write

Sign in

Installing Open Source CTI Platform — Part 1

T3ch!3_$@!
7 min readFeb 12, 2024

--

Introduction

OpenCTI — An open source platform allowing organizations to manage their cyber threat intelligence knowledge and observables. It has been created in order to structure, store, organize and visualize technical and non-technical information about cyber threats. The structuration of the data is performed using a knowledge schema based on the STIX2 standards. It has been designed as a modern web application including a GraphQL API and an UX oriented frontend. Also, OpenCTI can be integrated with other tools and applications such as MISP, TheHive, MITRE ATT&CK, etc.

I would suggest to refer to the following links to get more information on the platform:
https://github.com/OpenCTI-Platform/opencti
https://filigran.io/solutions/products/opencti-threat-intelligence/

Note: This installation would be on top of Windows OS as host.

Following approach is something that I followed during the installation and hence writing up here to share with larger audience who are new to this tool and have faced trouble during installation. I would say this will be a 4-step installation which follows:
1. WSL installation
2. Docker-Desktop installation over WSL
3. Installing Portainer(helps to install OpenCTI docker image easily)
4. OpenCTI docker image up and running.

WSL Installation

To do this, just fire-up the PowerShell as admin. Inside the prompt type “wsl — install” and hit enter. Just like below screenshot:

In my case, WSL was installed prior and proceeded with Ubuntu 22.04 LTS installation with the command it was given “wsl — install -d Ubuntu-22.04”. Once installation is finished, we could see Ubuntu terminal added to our Windows Terminal drop-down:

Additionally, for a fresh wsl installation, you can follow Microsoft link as well https://learn.microsoft.com/en-us/windows/wsl/install.

Docker Desktop Installation

For this, just visit Docker website following the link https://www.docker.com/products/docker-desktop/ and download the Docker Desktop for Windows version.
During the installation, keep the default settings as it is and continue

Once the Docker installation is done, open the docker desktop application and in ‘General Settings’, make sure to check the WSL feature(by default it will be enabled).

Since WSL is enabled, we can directly access from the Ubuntu terminal window which was downloaded earlier. Hence, I have opened the Ubuntu terminal from Windows Host and issued the command ‘sudo docker run hello-world’ which start fetching a docker image. Running this because to make sure docker is running successfully.

Installing Portainer

To do this, open up the documentation at Portainer website by following the link https://docs.portainer.io/v/2.16/start/install/server/docker/wsl and copy the below commands to run them in Ubuntu terminal:

sudo docker volume create portainer_data
sudo docker run -d -p 8000:8000 -p 9443:9443 — name portainer — restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:latest

This will pull the latest portainer image and as per the documentation link shared above, running these commands would be enough to say that portainer is up and can be accessed by visiting the ‘https://localhost:9443’ or ‘https://yourlocalIP:9443’. In my case, I accessed with my local Ubuntu IP and initially portainer will ask to create a username & password in order to login to the Web UI:

Once user is created, you will be taken to the Web UI with a quick setup page like below:

Here, we need to click Add Environments tile which will take us to next page where we need to select suitable environment wizard. In our case, it is docker-standalone wizard. Refer below:

Once you selected and click on the start wizard button, next page will give you few options on how you would like to connect with your docker standalone environment. By default, page is displayed by selecting the portainer-agent along with few commands. Check following screenshot:

Copy the commands as per the above screenshot and run them in our WSL based Ubuntu terminal which will fetch the Portainer-agent image as well. See below:

Parallelly, when we opened the Docker-desktop application, we could see the Portainer & Portainer agent containers were created, up & running.

OpenCTI Docker Image Installation

Open up the Portainer Web UI, select the stacks and click on the Add stack button like shown below:

Clicking on the Add stack button takes us to new page which gives us options on how we would like to build the stack with default option selected as web editor. Here goes the screenshot for same:

I named the stack as ‘opencti’ here and next, we need to go to OpenCTI github for docker image which can be found at URL https://github.com/OpenCTI-Platform/docker. You can grab the docker-compose.yml file and past the content into the web-editor of our portainer.

Next, we need to add environment variables. For this, we have two options:
1. Add enviroment variables manually
2. Load variables from .env file
You can get ‘.env.sample’ file from the same OpenCTI docker image github link given above. Now, copy its contents and past into a new file with ‘.env’ extension. This new file can be uploaded and this will assign values automatically to environment variables neatly as displayed in above screenshot.
In the ‘.env.sample’ file, for OPENCTI_ADMIN_TOKEN variable we need to assign a unique ID that can be grabbed from URL https://www.uuidgenerator.net/.

You can change the values of these variables according to your requirement before deploying the opencti stack from Portainer.
Since we loaded the environment variables in Portainer from previous screenshot, we are good to deploy stack by clicking the button below the page:

Once the stack deploys successfully, will get a notification popup like below:

As it said stack is deployed successfully, we verified it by opening up the docker-desktop application and can see stack is up and running:

As we know OpenCTI instance can be accessed through port 8080, we hit our local Ubuntu IP with port 8080 to see if OpenCTI is accessible and Yes…we can access it. Hurray..!!

We can now proceed with Login by giving the email address and password provided in the environment variables while configuring the stack. So, logging into the CTI platform with my login credentials gives me the following page which shows that data is already popping-up!!

This is because, as part of my OpenCTI installation, I have included the data-connectors as well in my docker-compose.yml file which fetch the desired data based on our requirements.

This is it for now..!! I hope you got it now, how easy to set the platform up and running. Will be writing another blogpost to talk more about on data-connectors and how to fetch data from external sources into OpenCTI platform.

Note: Make sure to follow the documentation links that was shared as well along with this blog. You can write in comments if you ran into some issues.

Thank you for reading this far…!! See you until next time :)

--

--

T3ch!3_$@!
T3ch!3_$@!

Written by T3ch!3_$@!

9 Followers
4 Following

Cyber Security Professional | OSINT & Threat Intelligence Enthusiast

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams