The first version of OpenCTI was created to allow organizations to capitalize and easily visualize their knowledge on cyber threats. First, we have started by implementing basic functions to model this knowledge using an hypergraph technology. All modeling is based on the intial report. We have also developped different views to navigate and pivot on entities and relationships.
Our first priority with the minor releases following the publication of the source code is to stabilize the basic features and to allow the new users to learn about the knowledge schema and the implementation of the hypergraph model. It is also about explaining the long-term vision of the platform. This is being achieve thanks to releasing a complete documentation and a demonstration instance.
In the short term, the priority is to complete the development of the new connector architecture as they are the cornerstone of data acquisition. It will enable users to really control the execution of connectors, provide an accurate visualization on the status of current imports and possible errors and accelerate the development of new connectors by the community.
In order to add up to the possibilities offered to the users to manage their data, our next priority is to finish all the features related to the import and the export of the information. At a minimum, the STIX 2 and CSV formats will be fully supported in both directions. The import and export of the data should be asynchronous. It will use background processes dedicated to these tasks, then store the files in an S3-compatible database provided for this purpose.
Once the data is imported on the platform, either automatically or directly by analysts, a range of specific connectors called ``enrichment`` will allow to automatically enrich data. One of the first planned connector will act on the observables through CORTEX. Others will follow to enrich the vulnerabilities, tools, and other available entities.
For now, the implemented hypergraph model is not fully represented within the platform, in the reports as in the pivots between the entities. Only relationships between entities are displayed, and relations to relations (nested relations) are often directly integrated as elements of a relation. The platform will consider and display relations to relations as implemented in the model.
The primary data and the associated enrichment can be browsed thanks to the basic features of the platform. In the medium term, one of the development priorities will be to offer advanced analytics and visualization features through dynamic widgets and personalized dashboards. This will allow users to monitor or compare threats or features of the platform.
In the current version, the capitalization of information within a report is done at strategic and tactical levels only (victimology, techniques / malicious codes used, etc.). We are planning to introduce more detailed levels of capitalization in all sections of the platform , allowing for instance to represent the actions of an attacker in an information system and the associated observables.
All platform data is fully integrated into a entity-relationship model that can be browsed step by step or through specific researches. An exploration engine represented as a graph will be developed to allow investigations and unprecedented representations, with the ability to perform pattern searches graphically and intuitively. Analysts will be able to organize these investigations into workspaces according to their needs.
The platform is based on a hypergraph database that embeds graph traversal algorithms to detect clusters, compute the shortest path or the centrality of an entity in a larger subset. Ranging from observables to the strategic actors and using the enrichment of each entity, these features will be used to offer advanced correlation capabilities.