TI for fun and profit, on a budget!

At Crimson7, I found myself needing to delve into Threat Intelligence. A quick internet search revealed that OpenCTI is rapidly emerging as the leading platform in this field.

The beauty of OpenCTI is that it allows you to collect, ingest, and correlate data, as well as automate processing to present and consume aggregated data from different sources in the way you want. At C7, we're focused on threat-informed security. Rather than just IoCs and millions of indicators to consume in a SoC, we need to understand how actors operate and what TTPs (or Attack Patterns, to use OpenCTI terminology) are used in campaigns and attacks. We're after Attack Intelligence—we're rebuilding these attacks. Let's wrap up the corporate talk with one last piece of info: if you're planning to dive into CTI and are looking for an open (hopefully for a long time) and beautifully engineered platform, consider this—Filigran, the company behind OpenCTI, just secured a Series A funding of $15 million.

OpenCTI can be easily deployed using Docker containers. It's straightforward: just browse the documentation, fetch the docker-compose.yaml file, and customize the .env file. However, a real deployment should consider two key factors:

• Adding proper data import connectors. You must plan upfront which data to ingest and from which sources. In this article, I'll tell you what you can get almost for free, leaving you satisfied.
• Scaling the configuration and resources to match the data you expect to ingest. I initially deployed OpenCTI on my home server, only for it to crash after a few hours due to CPU overheating and insufficient heap space. I then moved to an expensive cloud instance of OpenSearch with 8GB of RAM, which crashed after a few days. Finally, I found a solution that still keeps me excited—but you'll have to read the entire article to find out!

While this setup falls short of a perfect clustered deployment with distributed Redis, RabbitMQ, and ingestion clusters as recommended by Filigran, it offers a pragmatic solution. Though confined to a single server and not truly clustered across multiple systems, still with 4 Elasticsearch nodes on containers, at least saves you from headaches. This configuration provides an acceptable performance with robust storage capabilities, albeit with an expected decrease in processing and ingestion speed compared to a fully clustered deployment.

💡 I have to admit that I reached 40/s processed bundles, 62M of documents, which is not bad at all and makes me very satisfied. Navigation through the data is blazing fast.

The step by step full article, the docker-compose files, the how to ingest decent 'free' intelligence (from MISP, Alienvault, NIST, etc.) and all the knowledge and tips collected during a couple of sleepless nights are on this blog article: FULL ARTICLE (HOW TO)

Hope it helps starting with CTI and enjoy OpenCTI. Start thinking about Attack Patterns and Intelligence.