Strategic roadmap

Knowledge management

Q3 2019: Organize the cyber threat intelligence data and knowledge

The first version of OpenCTI was created to allow organizations to capitalize and easily visualize their knowledge on cyber threats. First, we have started by implementing basic functions to model this knowledge using an hypergraph technology. All modeling is based on the intial report. We have also developped different views to navigate and pivot on entities and relationships.

Stabilization and documentation

Q3 2019: Welcome newcomers

Our first priority with the minor releases following the publication of the source code is to stabilize the basic features and to allow the new users to learn about the knowledge schema and the implementation of the hypergraph model. It is also about explaining the long-term vision of the platform. This is being achieve thanks to releasing a complete documentation and a demonstration instance.

Integration capabilities

Q4 2019: Develop connectors architecture

In the short term, the priority is to complete the development of the new connector architecture as they are the cornerstone of data acquisition. It will enable users to really control the execution of connectors, provide an accurate visualization on the status of current imports and possible errors and accelerate the development of new connectors by the community.

Import/export features

Q4 2019: Improve mangement of the data

In order to add up to the possibilities offered to the users to manage their data, our next priority is to finish all the features related to the import and the export of the information. At a minimum, the STIX 2 and CSV formats will be fully supported in both directions. The import and export of the data should be asynchronous. It will use background processes dedicated to these tasks, then store the files in an S3-compatible database provided for this purpose.

Data enrichment

Q1 2020: Enable automatic data completion

Once the data is imported on the platform, either automatically or directly by analysts, a range of specific connectors called ``enrichment`` will allow to automatically enrich data. One of the first planned connector will act on the observables through CORTEX. Others will follow to enrich the vulnerabilities, tools, and other available entities.

Display of the whole model

Q1 2020: Make relations to relations visible

For now, the implemented hypergraph model is not fully represented within the platform, in the reports as in the pivots between the entities. Only relationships between entities are displayed, and relations to relations (nested relations) are often directly integrated as elements of a relation. The platform will consider and display relations to relations as implemented in the model.

Integration and performance tests

Q2 2020: Professional usage and community involvement

As the evolutions of the platform are fast, it is imperative that the platform has the most complete integration and performance test coverage. This will stabilize API methods, client libraries and allow us to compare performance between releases, in particular data ingestion. It will also make easier the community contributions by providing a framework to verify code moficitions.

Collaborative work and traceability

Q2 2020: History of entities, collaboration and notification

Multiple connectors allow data to be ingested or modified automatically in the platform. Users can also capitalize information through the web interface. Entities and relationships must therefore have a clear modification history and able to correctly highlight the content modified manually. These technical logs will be supplemented by functional logs as the first brick of the collaboration features: comments, assignment, notifications, etc.

Platform monitoring

Q3 2020: Follow the ingestion and the state of data

A lot of information is sent through the connectors to the platform for writing. It is very difficult for the user to know the exact state of the data that has been correctly created / modified. This feature is aimed both to allow analysts to monitor the ingestion of new information in the platform but also to detect duplicates, purge certain data and clearly view the status of the platform.

Advanced analytics and visualization

Q1 2021: Develop dynamic widgets and dashboards

The primary data and the associated enrichment can be browsed thanks to the basic features of the platform. In the medium term, one of the development priorities will be to offer advanced analytics and visualization features through dynamic widgets and personalized dashboards. This will allow users to monitor or compare threats or features of the platform.

Integration with detection devices and SIEM

Objective: Interaction of the platform with IPS / EDR / SIEM

Once the knowledge management and collaborative work features (notifications, assignment, history, etc.) will be implemented, OpenCTI will have to fully integrate with the operational cybersecurity ecosystem of an organization. This will cover both the processing of observables and indicators by detection and hunting devices but also the ability of the platform to ingest information such as the number of false positives, observations, etc.

Multiple layers of knowledge

Objective: Offer more low level information

In the current version, the capitalization of information within a report is done at strategic and tactical levels only (victimology, techniques / malicious codes used, etc.). We are planning to introduce more detailed levels of capitalization in all sections of the platform , allowing for instance to represent the actions of an attacker in an information system and the associated observables.

Inter-platform synchronization

Objective: Share date between platform instances

The import and export features as well as the connectors allow today to cover most of the needs as long as the platform is not massively adopted. However, it seems necessary to allow organizations that have OpenCTI instances to be able to synchronize them according to precise distribution and sharing policies. Depending on the tagging and the communities defined, several synchronization features will make easier to share data between platforms.

Investigation graph

Obecjtive: Expand entities-relationships representation

All platform data is fully integrated into a entity-relationship model that can be browsed step by step or through specific researches. An exploration engine represented as a graph will be developed to allow investigations and unprecedented representations, with the ability to perform pattern searches graphically and intuitively. Analysts will be able to organize these investigations into workspaces according to their needs.

Data segregation

Objective: Permissions management on entities and relationships

All platform data is fully integrated into a entity-relationship model that can be browsed step by step or through specific researches. An exploration engine represented as a graph will be developed to allow investigations and unprecedented representations, with the ability to perform pattern searches graphically and intuitively. Analysts will be able to organize these investigations into workspaces according to their needs.

Correlation engine

Objective : Further correlation capabilities

The platform is based on a hypergraph database that embeds graph traversal algorithms to detect clusters, compute the shortest path or the centrality of an entity in a larger subset. Ranging from observables to the strategic actors and using the enrichment of each entity, these features will be used to offer advanced correlation capabilities.