We briefly talked about cyber threat intelligence, tools and platforms used and how threat data is ingested into these tools. We covered openCTI platform and explained its components including going over the threats, arsenal and analysis sections. We conluded the video with an investigative scenario about a malware family and threat group and used openCTI to gather threat intel.This was part of TryHackMe OpenCTI SOC Level 1 pathway.
Provide an understanding of the OpenCTI Project.
Cyber Threat Intelligence is typically a managerial mystery to handle, with organisations battling with how to input, digest, analyse and present threat data in a way that will make sense. From the rooms that have been linked on the overview, it is clear that there are numerous platforms that have been developed to tackle the juggernaut that is Threat Intelligence.
OpenCTI is another open-sourced platform designed to provide organisations with the means to manage CTI through the storage, analysis, visualisation and presentation of threat campaigns, malware and IOCs.
Developed by the collaboration of the French National cybersecurity agency (ANSSI), the platform’s main objective is to create a comprehensive tool that allows users to capitalise on technical and non-technical information while developing relationships between each piece of information and its primary source. The platform can use the MITRE ATT&CK framework to structure the data. Additionally, it can be integrated with other threat intel tools such as MISP and TheHive. Rooms to these tools have been linked in the overview.
OpenCTI Data Model
OpenCTI uses a variety of knowledge schemas in structuring data, the main one being the Structured Threat Information Expression (STIX2) standards. STIX is a serialised and standardised language format used in threat intelligence exchange. It allows for the data to be implemented as entities and relationships, effectively tracing the origin of the provided information.
What kill-chain phase is linked with the Command-Line Interface Attack Pattern?
Within the Activities category, which tab would house the Indicators?
Who is the author of the entity?
Which Attack technique is used by the malware for execution?
How many malware relations are linked to this Attack technique?
Which 3 tools were used by the Attack Technique in 2016? (Ans: Tool1, Tool2, Tool3)
What country is APT37 associated with?
Which Attack techniques are used by the group for initial access? (Ans: Technique1, Technique2)