Damag3dRoot · Follow
--
Introduction & Installation
Welcome to our blog series dedicated to OpenCTI, an open-source cyber threat intelligence management platform. Throughout this series, we’ll explore the key steps to setting up and leveraging this powerful solution, from initial installation to creating custom dashboards and processing data.
In this first article, we’ll dive into the OpenCTI installation process, walking you step-by-step through the prerequisites, installation steps, and initial setup. Whether you’re a seasoned cybersecurity professional or just new to OpenCTI, this resource aims to simplify the process and enable you to get the most out of this platform.
The following articles will cover key aspects such as adding data to OpenCTI, whether integrating threat intelligence feeds or manually adding relevant information. We’ll also explore creating custom dashboards, showing you how to visualize data in a meaningful way tailored to your specific needs.
Stay tuned for a deep dive into the world of OpenCTI, where threat management becomes more accessible and powerful than ever. Get ready to learn the ins and outs of this platform, from installation to creating actionable visualizations to strengthen your cybersecurity posture.
but First, what is OPENCTI Platform ?
First developed by ANSSI,
OpenCTI (Open Cyber Threat Intelligence) is an open-source platform designed to help organizations manage and analyze cyber threat intelligence. It serves as a centralized repository for storing, correlating, and sharing information about cyber threats. OpenCTI is developed to support the entire lifecycle of threat intelligence, from collection and analysis to dissemination and collaboration.
Open Source Platform:
- OpenCTI is not just a cybersecurity tool; it’s a collaborative initiative. Being open-source means that the platform’s inner workings are transparent and accessible to the cybersecurity community. Organizations have the freedom to deploy, modify, and enhance the platform according to their unique security needs.
Threat Intelligence Management:
- At its core, OpenCTI functions as a sophisticated repository for organizing and managing threat intelligence data. This encompasses a wide array of information, including details about threat actors, ongoing campaigns, specific incidents, and the elusive indicators of compromise (IoCs).
Stix2 Integration:
- The platform’s foundation is built upon the STIX (Structured Threat Information eXpression) version 2 standard. STIX serves as the lingua franca for expressing threat intelligence in a structured and standardized format. OpenCTI adeptly ingests and represents data in adherence to the STIX specification.
Graph-Based Data Model:
- OpenCTI leverages a graph-based data model, enabling a nuanced representation of relationships between diverse entities within the threat landscape. This graph-centric approach provides a comprehensive view of how different elements interconnect, empowering analysts to navigate complex threat scenarios more effectively.
Customizable Taxonomies:
- Recognizing the diverse needs of organizations, OpenCTI offers a flexible framework for defining and customizing taxonomies. This feature allows users to classify and categorize threat intelligence data based on their specific industry context and organizational requirements.
Connector Framework:
- Automation is a cornerstone of OpenCTI’s capabilities, made possible through its connector framework. This framework facilitates seamless integration with external data sources, such as threat intelligence feeds and other cybersecurity tools. Connectors streamline the process of ingesting valuable data into the platform.
User Interface and Visualization:
- OpenCTI doesn’t just present data; it visualizes it. The user interface is designed to empower analysts by offering visualization tools. These tools assist in navigating the intricate web of relationships between different entities, revealing patterns and trends that might otherwise remain hidden.
Incident Management:
- Incident response is a critical aspect of cybersecurity, and OpenCTI acknowledges this by incorporating features for incident management. The platform aids organizations in effectively tracking and documenting security incidents, providing a structured approach to incident response.
API Access:
- The flexibility of OpenCTI extends to its APIs, allowing users to interact programmatically with the platform. This API accessibility facilitates integrations with a spectrum of security tools and supports the automation of various workflows, contributing to a more streamlined cybersecurity operation.
Community Collaboration:
- OpenCTI is not just a tool; it’s a community-driven endeavor. Collaboration is not only encouraged; it’s at the heart of the platform’s ethos. Security professionals have the opportunity to actively contribute to the platform’s development, share valuable threat intelligence, and collectively elevate the capabilities of OpenCTI.
In essence, OpenCTI emerges as a dynamic, adaptable, and collaborative force in the cybersecurity landscape, providing organizations with a powerful toolset to navigate the complex world of threat intelligence.
Prerequisites: Debian 12
I advise you to follow the installation via docker:
sudo apt install docker-composeCreate your installation directory,
mkdir -p opencti_cti && cd opencti_cti Clone the project,
git clone https://github.com/OpenCTI-Platform/docker.git
cd dockerGenerate the .env
sudo apt install -y jqConfigure the config file,
(cat << EOF
OPENCTI_ADMIN_EMAIL=admin@opencti.io
OPENCTI_ADMIN_PASSWORD=iwaschangeofcourse
OPENCTI_ADMIN_TOKEN=$(cat /proc/sys/kernel/random/uuid)
OPENCTI_BASE_URL=http://localhost:8080
MINIO_ROOT_USER=$(cat /proc/sys/kernel/random/uuid)
MINIO_ROOT_PASSWORD=$(cat /proc/sys/kernel/random/uuid)
RABBITMQ_DEFAULT_USER=guest
RABBITMQ_DEFAULT_PASS=guest
ELASTIC_MEMORY_SIZE=4G
CONNECTOR_HISTORY_ID=$(cat /proc/sys/kernel/random/uuid)
CONNECTOR_EXPORT_FILE_STIX_ID=$(cat /proc/sys/kernel/random/uuid)
CONNECTOR_EXPORT_FILE_CSV_ID=$(cat /proc/sys/kernel/random/uuid)
CONNECTOR_IMPORT_FILE_STIX_ID=$(cat /proc/sys/kernel/random/uuid)
CONNECTOR_EXPORT_FILE_TXT_ID=$(cat /proc/sys/kernel/random/uuid)
CONNECTOR_IMPORT_DOCUMENT_ID=$(cat /proc/sys/kernel/random/uuid)
SMTP_HOSTNAME=localhost
EOF
) > .envYou can export env variables,
export $(cat .env | grep -v "#" | xargs)Don’t forget to set up the vm max
sudo sysctl -w vm.max_map_count=1048575Ok, now you can start service,
sudo systemctl start docker.serviceAnd run,
docker-compose up -dOnce the installation is complete you should have a terminal like this:
You can therefore have access to the platform :
You have now implemented a robust platform that will become an essential pillar of your cybersecurity arsenal. At this point, you have laid the foundation needed to centralize and effectively manage threat intelligence.
In subsequent articles in this series, we’ll dive into enriching your OpenCTI platform. Whether you plan to integrate data from external sources, add indicators manually, or develop custom connectors, we will guide you every step.
Stay with us to explore how to take full advantage of OpenCTI, transforming your raw data into actionable insights. Together, we will deepen your understanding of threats, strengthen your analytical capabilities, and help make your cybersecurity environment a more resilient defense against future attacks. Get ready to enrich your OpenCTI platform and maximize its potential in the next step in this exciting series.
Next in Part II
