Threat Intel the easy way with OpenCTI and Docker

I've spent endless hours looking at various feeds for cyber intel via websites, linkedin, twitter feeds etc... It's a painful task, wastes time and consists of intel overload!

This guide walks you through the solution and how to deploy the OpenCTI (Open Cyber Threat Intelligence) platform within Docker, enabling you to aggregate and analyze threat intelligence in one place.

This is a work in progress blog post

Skills Covered:

• Installing and configuring Docker Compose.

• Deploying OpenCTI and adding integrations

  (AlienVault, MitreAtt@ck, Vulncheck and Virustotal)

• Setting data retention

Pre Reqs

• Proxmox environment already set up (homelab)

• Basic Linux command line knowledge.

• Ubuntu Server 22.04 VM with SSH enabled

• (recommended specs: 4 CPU, 16GB RAM, 150GB storage).

Official Guide: https://docs.opencti.io/latest/deployment/overview/

How it works

I will presume you have Proxmox running, and have created a new Ubuntu Server VM called

OpenCTI or something simular.

Installing Docker-Compose

Start up the VM and login as your admin and run the following to install docker-compose:

sudo apt install docker-compose

Next is installing the OpenCTI docker to your machine, it's generally good practice to install in \opt, this will keep it seperate from system files and user home directories. It's also preferred for managing security if you decide to run as a "opencti" system account rather than the main admin.

Create the directory and change directory to it:

Sudo mkdir -p /opt/opencti && cd /opt/opencti 

Download the docker:

Sudo git clone https://github.com/OpenCTI-Platform/docker.git 

Under /opt/opencti/docker you will see something like this by running ls -loas (show hidden)

I renamed env.sample to .env using:

cd /opt/opencti/docker
cp .env.sample .env 

Then edit the file and edit as appropriate:

sudo nano .env

OPENCTI_ADMIN_EMAIL=admin@opencti.io

OPENCTI_ADMIN_PASSWORD="type in an admin portal password"

OPENCTI_ADMIN_TOKEN="this is in the GUI under profile / api access"

OPENCTI_BASE_URL=http://localhost:8080

OPENCTI_HEALTHCHECK_ACCESS_KEY=RANDOM UUID v4 key (https://www.uuidtools.com/v4 each one has to be different.)

MINIO_ROOT_USER=opencti

MINIO_ROOT_PASSWORD="type a new password"

RABBITMQ_DEFAULT_USER=opencti

RABBITMQ_DEFAULT_PASS="type a new password"

CONNECTOR_EXPORT_FILE_STIX_ID=RANDOM UUID v4 key

CONNECTOR_EXPORT_FILE_CSV_ID=RANDOM UUID v4 key

CONNECTOR_EXPORT_FILE_TXT_ID=RANDOM UUID v4 key

CONNECTOR_IMPORT_FILE_STIX_ID=RANDOM UUID v4 key

CONNECTOR_IMPORT_DOCUMENT_ID=RANDOM UUID v4 key

CONNECTOR_ANALYSIS_ID=RANDOM UUID v4 key

SMTP_HOSTNAME=localhost

ELASTIC_MEMORY_SIZE=4G

Start the service

sudo systemctl start docker.service  

Run docker

Sudo docker-compose up –d 

You can test the webpage is up by running the below, if it replies with html data then all good:

curl http://localhost:8080 

Go to http://localhost:8080 or

http://serverip:8080 log in with the credentials configured in your ENV file

Login!

Not much happening here, so we need to setup some connectors and rss feeds.

Get connected with connectors and RSS Feeds

Connectors form the backbone of the OpenCTI platform, enabling organizations to seamlessly ingest, enrich, and share data. Depending on their purpose and functionality, connectors are grouped into specific categories

This is a list from the OpenCTI Github:

https://github.com/OpenCTI-Platform/connectors/tree/master/external-import

Firstly I added Hacker News to the RSS feeds:

I then added OTX AlienVault they all use the same basic information, but seperate Connector UUID's are needed, and the individual api key.

AlienVault Connector

Example of the entry in docker-compose.yml

OPENCTI_URL=http://opencti:8080 

      - OPENCTI_TOKEN="this is in the GUI under profile / api access"

      - CONNECTOR_ID=RANDOM UUID v4 key (https://www.uuidtools.com/v4 each one has to be different.)

      - CONNECTOR_NAME=AlienVault 

      - CONNECTOR_SCOPE=alienvault 

      - CONNECTOR_LOG_LEVEL=error 

      - CONNECTOR_DURATION_PERIOD=PT30M # In ISO8601 Format starting with "P" for Period ex: "PT30M" = Period time of 30 minutes 

      - ALIENVAULT_BASE_URL=https://otx.alienvault.com 

      - ALIENVAULT_API_KEY="API Code from Alienvault portal"

Start the connector:

sudo docker-compose up

Once the new AlienVault connector is up and running you can see it in the OpenCTI portal under Data / Ingestion

Then I continued to add VirusTotal and Vulncheck and then Mitre Att@ck:

connector-mitre:

image: opencti/connector-mitre:rolling

environment:

- OPENCTI_URL=http://opencti:8080

- OPENCTI_TOKEN="this is in the GUI under profile / api access"

- CONNECTOR_ID=RANDOM UUID v4 key (https://www.uuidtools.com/v4 each one has to be different.)

- CONNECTOR_NAME=MITRE ATT&CK

- CONNECTOR_SCOPE=identity,attack-pattern,course-of-action,intrusion-set,malware,tool,report

- CONNECTOR_CONFIDENCE_LEVEL=75

- CONNECTOR_LOG_LEVEL=info

- MITRE_ENTERPRISE_FILE_URL=https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json

- MITRE_MOBILE_ATTACK_FILE_URL=https://raw.githubusercontent.com/mitre/cti/master/mobile-attack/mobile-attack.json

- MITRE_ICS_ATTACK_FILE_URL=https://raw.githubusercontent.com/mitre/cti/master/ics-attack/ics-attack.json

restart: always

depends_on:

opencti:

condition: service_healthy

restart: always

Tips:

• OPENCTI_TOKEN="this is in the GUI under profile / api access" Its recommended to have a separate Token for each connector more on this on a seperate OpenCTI configuration post coming soon.

• Dont have "extra version" and "services" lines in the middle of the file, this will prevent other connectors to connect.

• Keep only one version: "3" at the very top.

• Make sure all connectors are indented 2 spaces under the single services: block.

• Use ChatGPT to validate or assist with the YML file!

• Use Retention polices to clear date after x weeks (Settings / Customisation / Retention)

Validate syntax of docker-compose.yml:

docker-compose config

• If it prints out a long YAML with all your services, you’re good.

• If it errors, still an indentation issue.

Add the recent Mitre addition and check the logs:

docker-compose up -d
docker-compose logs -f connector-mitre

Or restart everything:

docker-compose down
docker-compose up -d

Confirm:

docker ps

You should now see 10+ containers (OpenCTI core services + workers + connectors).

I checked back and now displaying AlienVault, VirusTotal, VulnCheck and MitreAtt@ck:

Issues encountered

VulnCheck and Orphan errors while running "docker-compose up"

Cleaned up the system by running the following:

sudo docker-compose up -d --remove-orphans
docker-compose down
docker-compose up -d
Test: curl http://localhost:8080 

Further guides for the configuration coming soon, subscribe to the monthly newsletter!

Useful Commands (in progress)

Check OpenCTI health: docker-compose logs -f opencti

Check Connector: docker-compose logs -f connector-mitre

Verify the container is running: docker ps --format "table{.Names}}\t{{.Status}}\t{{.Ports}}"