Intro to Open CTI — Part 2

3 min readOct 13, 2022

OpenCTI is truly valuable for the security analyst to import & export about threat intelligence knowledge in both specialized and non specialized data. OpenCTI is a opensource platform eases to handle cyber threat intelligence knowledge. On my previous post i’ve shared about Introduction of OpenCTI. In this post i would like to share Demonstration of openCTI.

Installation of OpenCTI

To install opencti , you can use follow method:

Deploy the VM template
Use Docker (recommended)
Use Terraform or Helm-Chart (Community Version)
Install manually

Demonstration of OpenCTI

Once the installation of openCTI is done, the OpenCTI dashboard look like this

It showcases the threat intelligence details on the widgets like number of entities, relationships, reports, and observables. The information will updated at every 24 hours.

On the left side panel the dashboard contains Activities , knowledge, data & setting tabs.

Activities

This section contains analysis, events and observation tabs. It’ll help for the security analyst to investigate about the incidents.

The analysis tab contains entities reports with external links. This allow analyst to easier identification of an incident reports. Sometimes the analyst could add notes, or opinions about the incident reports.

The event tab contains analyst could save the finding of the threat. Include creation date of the threat finded, the date of the report uploaded on the platform, & Modification date of the reports.

The observation tab displays technical elements, detection rule identified during cyber attack. These elements assist analysts in mapping out threat events during a hunt and perform relationships between what they observe in their environments against the intel feeds.

Knowledge

The knowledge section contains threats, Arsenal, Entities tab. In this section you could get more knowledge about the threat actor, threat, tools and techniques used by threat actor, Tools, malware patterns, & vulnerability.

Threat Actor — An individual or group of malicious actor who transmitted malicious activity against an organization.

Intrusion Sets — A set of TTP, Tools and infrastructure used by threat actor against targeted attributes.

Campaigns - Series of attacks taking place within a given period and against specific victims initiated by threat actors.

Arsenal — This tab display the list of tools related to the attacks. This also contains information about malware, Attack patterns, course of action, Tools &vulnerabilities.

Entities — This tab display information about operational sectors, countries, organisations and individuals.

As i explained earlier, now we’re going to gather information about a five hands malware . So on the top right, there’s a search option enter the keyword that want to be searched. Here’s result of search, 7reports,5 malware entities, 12 attack patterns & 18 vulnerability .