Creating OpenCTI: My mission to democratise threat intelligence through open source

"I couldn’t find the right tool on the market so I took matters into my own hands"

Creating OpenCTI: My mission to democratise threat intelligence through open source

The nation-state attacks and phishing scams facing organisations are nothing new. However, the boldness, frequency, and sophistication of attacks, is changing, writes Samuel Hassine, Director of Security Strategy & Operations at Tanium. OpenCTI is an open-source platform which specialises in the analysis of cyber threats and made freely available to the community. It’s a project close to my own heart because I co-created it with Julien Richard and we have dedicated a large part of our lives to it for the past two and a half years. I originally started to develop the project while I was working for the French National Cybersecurity Agency (ANSSI).

OpenCTI aims to help organisations access, organise and visualise intelligence, providing a real-time events stream of threat intelligence data.. It is a modern web app including a GraphQL API and an UX oriented frontend. OpenCTI can also be integrated with other tools and applications such as MISP, TheHive, MITRE ATT&CK, etc. It also has connectors to gather threat intelligence data from open or closed sources such as FireEye, FS-ISAC, AlienVault, Kaspersky, VirusTotal or MISP. OpenCTI data can be used to search a data lake for potential threats, or feed a forensics, detection and remediation tool like the Threat Response module in Tanium.

We developed the OpenCTI project because one of the biggest challenges for organisations is having access to reliable threat data. Our mission was clear. Democratise threat intelligence by creating an open source platform that all organisations can use to improve their understanding of the threat landscape and therefore better protect themselves.

I couldn’t find the right tool on the market (especially an open source one), so I took matters into my own hands.

OpenCTI: Classifying data for a tailored approach

The data in OpenCTI contains detection and remediation guidelines for different classifications of threats. Organisations can select the threat data that is most relevant to their industry and their security posture and configure it with different confidence levels. When investigating an alert or threat indicator, analysts can refer to OpenCTI to see the signature of a threat and review context about it — such as its attribution to threat actors and tactics used by targets in response.

What makes this platform different is that its own data hub is growing as the product matures. OpenCTI constantly maintains its data source connectors and follows a once-a-month release cadence for the platform. This flexibility means that organisations can choose the data feeds that best fit their needs as they don’t have to take everything available. They can take intelligence relevant to a market, vertical, or threat vector.

No matter the size of the organisation, all can benefit from access to quality threat intelligence. I expect small and medium-sized businesses (SMBs) to benefit greatly from OpenCTI given that they often have had no previous access to threat intelligence. The disconnect between SMBs’ cybersecurity needs, and accessibility to IT specialists means they can miss their security goals. SMBs require cybersecurity solutions that are easy to implement and that come with well-defined onboarding plans — which is why OpenCTI works well for them.Such resources could be used to implement a better line of defence which will help mitigate attacks in the early stages.

A community based approach

It’s not just small organisations that are leveraging OpenCTI.

More than 500 large enterprises and government agencies are already using the platform worldwide, including several Tanium customers. The creation of the connector between OpenCTI and the Tanium platform allows them to feed threat intelligence into their detection and forensic capabilities. It demonstrates the benefit of using highly open and customizable endpoint management tools to leverage tailored pieces of intel for threat defending and hunting purposes.

Security analysts depend on third-party threat intelligence to help detect and analyse threats. However, like other security data pipeline challenges, aggregating, correlating and analysing data from multiple sources can be a complicated process. This is a challenge that I have experienced myself while working for the French government and that’s why it has become a personal mission for me to provide a solution.

Looking to the future, we hope to develop OpenCTI further. What’s coming is very exciting, as we plan to fully automate the management of the intelligence lifecycle to develop more analysis capabilities.

See also: This new free tool aims to help security researchers debug complex multiprocess applications