Strategic roadmap

Knowledge management

Q3 2019: Organize the cyber threat intelligence data and knowledge

The first version of OpenCTI was created to allow organizations to capitalize and easily visualize their knowledge on cyber threats. First, we have started by implementing basic functions to model this knowledge using an hypergraph technology. All modeling is based on the intial report. We have also developped different views to navigate and pivot on entities and relationships.

Stabilization and documentation

Q3 2019: Welcome newcomers

Our first priority with the minor releases following the publication of the source code is to stabilize the basic features and to allow the new users to learn about the knowledge schema and the implementation of the hypergraph model. It is also about explaining the long-term vision of the platform. This is being achieve thanks to releasing a complete documentation and a demonstration instance.

Integration capabilities

Q4 2019: Develop connectors architecture

In the short term, the priority is to complete the development of the new connector architecture as they are the cornerstone of data acquisition. It will enable users to really control the execution of connectors, provide an accurate visualization on the status of current imports and possible errors and accelerate the development of new connectors by the community.

Import/export features

Q4 2019: Improve mangement of the data

In order to add up to the possibilities offered to the users to manage their data, our next priority is to finish all the features related to the import and the export of the information. At a minimum, the STIX 2 and CSV formats will be fully supported in both directions. The import and export of the data should be asynchronous. It will use background processes dedicated to these tasks, then store the files in an S3-compatible database provided for this purpose.

Data enrichment

Q1 2020: Enable automatic data completion

Once the data is imported on the platform, either automatically or directly by analysts, a range of specific connectors called ``enrichment`` will allow to automatically enrich data. One of the first planned connector will act on the observables through CORTEX. Others will follow to enrich the vulnerabilities, tools, and other available entities.

Display of the whole model

Q1 2020: Make relations to relations visible

For now, the implemented hypergraph model is not fully represented within the platform, in the reports as in the pivots between the entities. Only relationships between entities are displayed, and relations to relations (nested relations) are often directly integrated as elements of a relation. The platform will consider and display relations to relations as implemented in the model.

Integration and performance tests

Q2 2020: Professional usage and community involvement

As the evolutions of the platform are fast, it is imperative that the platform has the most complete integration and performance test coverage. This will stabilize API methods, client libraries and allow us to compare performance between releases, in particular data ingestion. It will also make easier the community contributions by providing a framework to verify code moficitions.

Collaborative work and traceability

Q2 2020: History of entities, collaboration and notification

Multiple connectors allow data to be ingested or modified automatically in the platform. Users can also capitalize information through the web interface. Entities and relationships must therefore have a clear modification history and able to correctly highlight the content modified manually. These technical logs will be supplemented by functional logs as the first brick of the collaboration features: comments, assignment, notifications, etc.

Platform monitoring

Q3 2020: Follow the ingestion and the state of data

A lot of information is sent through the connectors to the platform for writing. It is very difficult for the user to know the exact state of the data that has been correctly created / modified. This feature is aimed both to allow analysts to monitor the ingestion of new information in the platform but also to detect duplicates, purge certain data and clearly view the status of the platform.

Advanced analytics and visualization

Q1 2021: Develop dynamic widgets and dashboards

The primary data and the associated enrichment can be browsed thanks to the basic features of the platform. In the medium term, one of the development priorities will be to offer advanced analytics and visualization features through dynamic widgets and personalized dashboards. This will allow users to monitor or compare threats or features of the platform.

Data segregation

Q2 2021: Permissions management on entities and relationships

All platform data is fully integrated into a entity-relationship model that can be browsed step by step or through specific researches. An exploration engine represented as a graph will be developed to allow investigations and unprecedented representations, with the ability to perform pattern searches graphically and intuitively. Analysts will be able to organize these investigations into workspaces according to their needs.

Expose data for consumption

Q2 2021: Expose TAXII APIs and new real-time streaming capabilities

OpenCTI is becoming a great platform to organize and aggregate cyber threat intelligence data but still lacks of capabilities to export data (except CSV and STIX 2). The objective is to have a built-in TAXII 2 APIs as well as consistent data live streams for connectors and third-party products. These features will allow much more integration use cases and organizations to operationalize threat intelligence.

Integration with detection devices and SIEM

Q2 2021: Interaction of the platform with IPS / EDR / SIEM

Once the knowledge management and collaborative work features (notifications, assignment, history, etc.) will be implemented, OpenCTI will have to fully integrate with the operational cybersecurity ecosystem of an organization. This will cover both the processing of observables and indicators by detection and hunting devices but also the ability of the platform to ingest information such as the number of false positives, observations, etc.

Investigation graph

Q3 2021: Expand entities-relationships representation

All platform data is fully integrated into a entity-relationship model that can be browsed step by step or through specific researches. An exploration engine represented as a graph will be developed to allow investigations and unprecedented representations, with the ability to perform pattern searches graphically and intuitively. Analysts will be able to organize these investigations into workspaces according to their needs.

Inter-platform synchronization

Q3 2021: Share date between platform instances

The import and export features as well as the connectors allow today to cover most of the needs as long as the platform is not massively adopted. However, it seems necessary to allow organizations that have OpenCTI instances to be able to synchronize them according to precise distribution and sharing policies. Depending on the tagging and the communities defined, several synchronization features will make easier to share data between platforms.

Collaboration and subscriptions

Q4 2021: More interactions between analysts and email alerting

The purpose of this milestone is to be able to ease interaction between analysts with comments/notes and opinions everywhere. Notes will also be displayed in the timeline of an entity. Opinions should be easy to put and displayed in an elegant way. Users must be able to subscribe to new knowledge, new reports or indicators about one or multiple entities and receive a digest of the data.

Inferences and data lifecycle

Q4 2021: Generic reasoning engine with flexible rules

The model entity-relationships has some limitations especially when it comes to compute statistics and trends but also when displaying all the knowledge related to a specific entity. This release will introduce a generic reasoning engine with logical rules to infer new relationships.

Garbage collector and case management

Objective : Data retention manager, workflow and case management

Some platforms have millions of entities and relationships. We would like to implement a proper garbage collector with flexible filters and data retention durations. Also, case management will be implemented to allow requests for information or following campaigns and incidents.

Data from the “field”

Objective : Modelize more field data (assets, risks, compliance, etc.)

To be able to propose more use cases on the platform, the current data must be crossed with more technical and non technical information related to the organizations using OpenCTI such as assets inventory, risk assessments, compliance levels and results, etc.

Correlation engine

Objective : Further correlation capabilities

The platform is based on a hypergraph database that embeds graph traversal algorithms to detect clusters, compute the shortest path or the centrality of an entity in a larger subset. Ranging from observables to the strategic actors and using the enrichment of each entity, these features will be used to offer advanced correlation capabilities.

Schema extension

Objective : Implement schema extension and custom ontologies

The STIX 2.1 specifications allow schema extension and open vocabularies can be customized if necessary. This milestone will implement customizable STIX schema extension, including some default that will be added to the current data schema.

Risk analysis and exercises scenarios

Objective : Crossing data to compute risk and connect with OpenEx

Be able to start the integration between OpenCTI and OpenEx to automatically generate exercise scenarios (technical and non technical) is one of the major long term objectives. Also, mixing crisis management, training and CTI needs a ``threat intelligence related`` risk management

Community centered features

Objective : instant anonymized data sharing, advanced collaboration

Having community centered features such as feeds market place, integrations with instant messaging platforms, immersive pair-investigations will be the future of OpenCTI. Whether in a centralized or decentralized model, organizations and verticals (ISACS) should be able to collaborate efficiently on threats knowledge.