The first version of OpenCTI was created to allow organizations to capitalize and simply visualize their knowledge of the cyber threats. First basic functions have been implemented to model this knowledge (hypergraph) and modify it through the reports. All views to navigate and pivot on entities and relationships have been developed.
The first priority of the minor releases that follow the release of the source code is to stabilize the basic features and to allow the new users to learn about the knowledge schema and the implementation of the hypergraph model thanks to a complete documentation and a demonstration instance. It is also about explaining the long-term vision of the platform.
In the short term, the priority is to complete the development of the new connector architecture as they are the cornerstone of data acquisition. It will enable users to really control the execution of connectors, provide an accurate visualization of the status of current imports and possible errors, accelerate the development of new connectors by the community.
In order to complete the possibilities offered to the users to manage their data, the next priority is to finish all the features related to the import and the export of the information. At a minimum, the STIX 2 and CSV formats will be fully managed in both directions. The import and export of the data must be asynchronous and use the background processes dedicated to these tasks, then store the files in an S3-compatible database provided for this purpose.
Once the data is present in the platform, either automatically or directly by analysts, a range of specific connectors called ``enrichment`` must allow to enrich these data automatically. One of the first will be the one that will act on the observables through CORTEX but others will enrich the vulnerabilities, tools, and other available entities.
Now, the implemented hypergraph model is not fully represented within the platform, in the reports as in the pivots between the entities. Only relationships between entities are displayed, and relations to relations (nested relations) are often directly integrated as elements of a relation. The platform will consider and display relations to relations as implemented in the model.
The primary data and the associated enrichment can be browsed thanks to the basic features of the platform. In the medium term, one of the development priorities will be to offer advanced analytics and visualization features through dynamic widgets and personalized dashboards. This will allow users you to monitor or compare certain threats or features of the platform.
In the current version, the capitalization of information within a report could be done at strategic and tactical levels only (victimology, techniques / malicious codes used, etc.). It is planned to introduce in all sections of the platform more detailed levels of capitalization, allowing for instance to represent the actions of an attacker in an information system and the associated observables.
All platform data is fully integrated into a entity-relationship model that can be browsed step by step or through specific researches. An exploration engine represented as a graph will be developed to allow investigations and unprecedented representations, with the ability to perform pattern searches graphically and intuitively. Analysts will be able to organize these investigations into workspaces according to their needs.
The platform is based on a hypergraph database that embeds graph traversal algorithms to detect clusters, compute the shortest path or the centrality of an entity in a larger subset. From observables to the strategic actors and using the enrichment of each entity, these features will be used to offer advanced correlation capabilities.