Filigran
Published in

Filigran

Robustness, intelligence and collaboration with OpenCTI 5.0

We are finally moving forward! Since the release of the version 4, a few milestones later, OpenCTI 5.0 is here.

OpenCTI 5.0 new dashboard widgets

Introduction

Objectives

During our summer work, our 2 main drivers to build this new major release have been:

  • Make OpenCTI more reactive and intelligent with the data while we ensure consistency and robustness of our current components.
  • Build the roots of more collaboration, sharing and engagement on threat intelligence structured data.

To know what we are talking about, you can either click everywhere in the demonstration instance or read this article.

Migration

OpenCTI 5.0 does not introduce any breaking change, migration should work as any other minor releases. Also, all the new features introduced in OpenCTI 5 will be backward compatible with existing platforms, including synchronization between platforms and sharing communities which have been fully rewritten to optimize accuracy and integrity of exchanged data.

Furthermore, this release contains 24 bugfixes in the core platform and 20 in connectors and Python library along with more than 10% of code coverage progression. We are committed for present and future releases to prioritize stability and make OpenCTI maintenance more easy and reliable in time.

Major new features

Reasoning rules engine and adapted metrics

The STIX 2.1 standard provides analysts with great flexibility to represent cyber threat intelligence knowledge but force them to constantly pivot on elements to gather all pieces of information and is not well designed when it comes to compute metrics and statistics over time.

In OpenCTI 5, we have worked to solve these problems by re-implementing the logical inferences already present in OpenCTI 3 with a generic reasoning engine.

In OpenCTI 5, the built-in reasoning engine includes 9 new rules (more to come) which can be activated independently. Some rules are more complex than others but all of them take recursion into account so cascading and side effects are handled.

One other important impact of this new reasoning engine is the way we compute statistics in all OpenCTI visualizations and dashboards. Let’s take a simple example to understand why this matters.

Considering the following relationships:

France → located-at → Europe
Spain → located-at → Europe
Italy → located-at → Europe

Intrusion Set A → targets → France
Intrusion Set A → targets → Spain
Intrusion Set A → targets → Italy

In OpenCTI 5, a rule named Targets via location has been created:

If entity A targets entity B and entity B is located-at entity C, then entity A targets entity C.

This rule will create the following relationship:

Intrusion Set A → targets → Europe

But this relationship is not representative of what happened, since we have 3 different “targeting” and only one inferred relationship created (for performance and to remain generic even for heavy entity types). To solve this issue, we have introduced the concept of “inference weight” (normal entity / relationship has weight = 1), to reach an exact accuracy in graph metrics.

For instance, these 2 graphs represent top intrusion sets and malware targeting the continent Europe :

Without any reasoning engine
With the OpenCTI version 3 reasoning engine (1 relationship created)
With the OpenCTI version 5 reasoning engine using inference weight

Subscriptions and digests

Regarding the “collaboration, sharing and engagement” objective, we have developed a subscription systems, allowing users to subscribe to new content in the platform in order to receive digests of knowledge. For example, it is now possible to subscribe to all new reports related to a specific sector or threat as well as be notified when new indicators are available for a given vulnerability.

Subscription management

For the moment, digests can only be sent by email through SMTP server (which must be configured in the OpenCTI parameters), but the objective is to be able to use more destinations such as file sharing platforms, notifications software, ticketing systems, etc.

Example of email digest

Content editor and viewer

In our journey to propose more data processing and visualization capabilities, OpenCTI 5 provides users with a new content viewer, explorer and editor in all reports. Now it is possible to:

  • View all attached PDF files to the report in an embedded PDF viewer.
  • View, edit and convert to PDF any HTML or Markdown file.
PDF viewer
Enriched HTML editor

In the future, the enriched text editor will be enhanced with templating features and auto-completion capabilities to insert OpenCTI text information and visualization widgets directly in the editor.

Revamped notes and opinions

Notes and opinions are part of the STIX 2.1 standard but should be displayed so users can easily use these entities to contribute and participate. Thus we have greatly enhanced the way to show and create them.

For the opinions, a new “opinions radar” is available for each entity and a selectable progress bar is proposed to the users to easily update opinions.

Distribution of opinions
Update opinions

For the notes, users are now able to create them in any entity using a fully embedded form in the overview page. Also when it is not filled, the author is automatically linked to the current logged in user.

Write a note

Custom workflows for all types of entity

Some entities in OpenCTI may be subject to a processing workflow. For instance, sightings, reports or incidents can be automatically generated and need to be assessed. In OpenCTI 5, it is now possible to enable custom workflows for any type of entity in the platform.

Custom workflows for all types of entities
Update a report status

Sharing with communities

This was one of our main focus in OpenCTI 5: to finally make knowledge sharing easier between different platforms. We have decided to remove the “synchronizer” connector and to make consumption of remote OpenCTI platforms data part of the core platform. From now, a few steps are necessary to start consuming a remote platform.

On the remote side:

1] Create your community feed by adding a live stream with the appropriate criteria and filters (or your community can use your default stream on /stream/live).

Live streams

2] Create a user for each member of your community with a role allowing the “Consume stream” capability.

An example of stream user with a “Stream Consumer” role

3] Share the live stream ID (or just “default”) and the token for each community members.

On the consumer side:

1] Just configure the remote OpenCTI platform with the URL, the live stream ID (or “default”) and the given token.

Create a new synchronizer

Great new connectors

OpenCTI 5 also brings to OpenCTI users a lot of new features among connectors, with some notable creations:

But almost all connectors have been enhanced during the last couple months. In OpenCTI 5, having all available enrichment connectors enabled allow users to have very useful data in the application.

Example of an IPv4 address enriched with IpInfo, Shodan, etc.

New dashboard widgets

Last but not least, a few dashboard visualization widgets have been added, especially to:

  • Visualize entities or relationships in a timeline fashion.
  • Visualize lists of elements in a table with a number column.
  • Introduce new Indicators widgets to follow their lifecycle.
Timeline widget and indicators lifecycle

What’s next?

Data curation and garbage collector

In the version 4, we had implemented the automatic expiration of indicators when the valid_until has passed. The future evolution of the platform will allow administrators to precisely configure their retention policy, the behavior of the garbage collector and how data are kept up-to-date and healthy.

More connectors

The current connectors portfolio has been greatly increased over the last 6 months. Even if Elastic, Splunk and Tanium connectors allow users to export data to a third party platform, OpenCTI ecosystem is still missing a lot of connectors to export data (Azure Sentinel, Q-Radar, MISP, TheHive, etc.).

Dashboards enhancements

A lot of widgets have been added recently but some for some entity types the users need more visualization capabilities. For example, be able to display victimology in a given continent, timeline of campaigns related to a specific threat or lists of reports associated to an entity…

We hope all these new features and this tiny overview of our roadmap has given you an accurate picture of where OpenCTI is going and what we intend to achieve. If you have not crossed the road yes, do not hesitate to join the amazing OpenCTI community on the Luatix slack channel.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store