Threat Intel for fun and profit | OpenCTI on a budget

<aside> 💡

Build your own CTI by deploying OpenCTI—seriously, and on a budget

</aside>

At Crimson7, I found myself needing to delve into Threat Intelligence. A quick internet search revealed that OpenCTI is rapidly emerging as the leading platform in this field.

The beauty of OpenCTI is that it allows you to collect, ingest, and correlate data, as well as automate processing to present and consume aggregated data from different sources in the way you want. At C7, we're focused on threat-informed security. Rather than just IoCs and millions of indicators to consume in a SoC, we need to understand how actors operate and what TTPs (or Attack Patterns, to use OpenCTI terminology) are used in campaigns and attacks. We're after Attack Intelligence—we're rebuilding these attacks. Let's wrap up the corporate talk with one last piece of info: if you're planning to dive into CTI and are looking for an open (hopefully for a long time) and beautifully engineered platform, consider this—Filigran, the company behind OpenCTI, just secured a Series A funding of $15 million.

OpenCTI can be easily deployed using Docker containers. It's straightforward: just browse the documentation, fetch the docker-compose.yaml file, and customize the .env file. However, a real deployment should consider two key factors:

Adding proper data import connectors. You must plan upfront which data to ingest and from which sources. In this article, I'll tell you what you can get almost for free, leaving you satisfied.
Scaling the configuration and resources to match the data you expect to ingest. I initially deployed OpenCTI on my home server, only for it to crash after a few hours due to CPU overheating and insufficient heap space. I then moved to an expensive cloud instance of OpenSearch with 8GB of RAM, which crashed after a few days. Finally, I found a solution that still keeps me excited—but you'll have to read the entire article to find out!

This is the architecture of OpenCTI, it’s built on:

an ElasticSearch storage, this is obviously your resource intense component
a Redis instance to buffer live data
minio for the S3 storage of files
OpenCTI itself is a node application running in his beefed up container
Workers, essentially python code, default install should run with 3 connected workers

(image from the OpenCTI documentation)