OpenCTI (Open Cyber Threat Intelligence) is an open-source platform designed to manage, analyze, and share cyber threat intelligence data. This blog post will guide you through the steps to install OpenCTI on an Ubuntu server. Along the way, we’ll also discuss how to use OpenCTI, how to set up worker nodes, connectors, and the database it relies on.
Prerequisites
Before starting the installation, ensure that your system meets the following requirements:
- Ubuntu 20.04 or 22.04 LTS
- At least 4 GB of RAM (8 GB recommended)
- Minimum 2 CPUs (4 recommended)
- Docker and Docker Compose installed
You can install Docker and Docker Compose by following these commands:
sudo apt update
sudo apt install -y docker.io docker-compose
sudo systemctl start docker
sudo systemctl enable docker
Step 1: Clone the OpenCTI Repository
First, you need to clone the OpenCTI GitHub repository. This repository contains the necessary Docker Compose files to set up OpenCTI and its dependencies.
git clone https://github.com/OpenCTI-Platform/docker.git opencti
cd opencti
Step 2: Configure Environment Variables
OpenCTI uses several environment variables for its configuration. You can customize these settings by editing the .env
file in the opencti
directory.
cp .env.sample .env
nano .env
Pay attention to the following key settings:
OpenCTI Variables:
OPENCTI_ADMIN_EMAIL
: The email address for the administrator account.OPENCTI_ADMIN_PASSWORD
: The password for the administrator account.OPENCTI_TOKEN
: The token used to interact with the OpenCTI API.
Database Configuration:
DATABASE_NAME
: Name of the OpenCTI database.DATABASE_USER
: Database user.DATABASE_PASSWORD
: Password for the database user.
Connector and Worker Nodes:
CONNECTOR_NAME
: Name of the connector.CONNECTOR_SCOPE
: The scope of the connector (e.g., indicators, observables).WORKER_COUNT
: Number of worker nodes.
Step 3: Set Up the Database
What database does OpenCTI use?
OpenCTI relies on Neo4j as its graph database and ElasticSearch for its search capabilities. The default docker-compose.yml file will set up these components for you.
- Neo4j: This is where all the entities and relationships in OpenCTI are stored.
- ElasticSearch: This is used to index and search the data within OpenCTI.
Step 4: Start OpenCTI and Dependencies
After configuring the environment variables, you can start OpenCTI and its dependencies using Docker Compose.
docker-compose up -d
This command will lunch the following containers:
OpenCTI: The core platform.
Redis: Used for caching.
RabbitMQ: Message broker used for communication between components.
ElasticSearch: Search engine.
Neo4j: Graph database.
Step 5: Verify the Installation
After the services are up and running, you can verify the installation by opening your web browser and navigating to http://<your-server-ip>:8080
. Log in using the admin credentials you set in the .env
file.
Step 6: How to Set Up OpenCTI and Worker Nodes
Worker nodes are crucial for scaling the processing of data within OpenCTI. To set up worker nodes, you can modify the docker-compose.yml file to include additional worker containers.
In the docker-compose.yml file, find the worker service section and scale it by adjusting the replicas setting:
worker:
image: opencti/worker:latest
environment:
– WORKER_NAME=worker
– WORKER_TOKEN=<OpenCTI Token>
deploy:
replicas: 2
Increase the replicas
to add more workers, which will help process tasks faster.
Step 7: How to Set Up OpenCTI Connectors and Worker Nodes
Connectors are essential for integrating OpenCTI with external threat intelligence sources. You can set up connectors by defining them in the docker-compose.yml file. For example, to add a MISP connector, you would include:
connector-misp:
image: opencti/connector-misp:latest
environment:
– CONNECTOR_NAME=MISP
– CONNECTOR_SCOPE=identity,location,threat-actor,intrusion-set,malware,tool,attack-pattern,course-of-action,report,indicator,observable,relationship
– CONNECTOR_TOKEN=<OpenCTI Token>
– CONNECTOR_URL=http://<MISP-URL>
After defining the connector, you can start it with:
docker-compose up -d connector-misp
This connector will now run alongside your OpenCTI instance, pulling data from MISP into the platform.
Step 8: How to Use OpenCTI
With everything set up, you can start using OpenCTI to manage and analyze threat intelligence data. Log in to the web interface, where you can:
- Create Reports: Aggregate and analyze threat data.
- Manage Indicators: Track indicators of compromise (IOCs).
- Integrate with External Sources: Use connectors to pull in data from various CTI sources.
- Analyze Relationships: Use the graph view to visualize connections between entities.
Conclusion
Installing OpenCTI on Ubuntu is a straightforward process when using Docker and Docker Compose. By following these steps, you can set up a robust cyber threat intelligence platform, complete with worker nodes, connectors, and a powerful database backend. Whether you’re managing threat data or integrating with other systems, OpenCTI provides the tools you need to enhance your organization’s cybersecurity posture.