Building strategic intelligence dashboards to manage your Intelligence feed deluge
As a member of the Filigran Solution Engineering team, I am fortunate enough that it’s part of my role to have direct conversations with our customers and prospects as to how they leverage their current Threat Intelligence Platform – whether it be OpenCTI, an alternate TIP, or a home-built solution – and have them share where they feel that their processes could be improved.
One area that has come up recently is in the middle of the threat intelligence lifecycle, which my colleague Nate Huber covered a few weeks ago – the process of Analysis. I have heard more than a few times the comment from a CTI team leader or SOC manager that analysts find themselves struggling to manage a ‘deluge’ of inbound threat intelligence.
This requires much analyst time and effort, even after using their existing TIP to filter for threats of interest, as they try to synthesize the data to compile and maintain the lists of vulnerabilities and TTPs that should be prioritized for defense against those threats.
Trying to manage this end-to-end process at scale can be a challenging task. With their existing tools, they can likely query a threat actor and view the TTPs that they’re known to use, but if those actors are seen to be using particular malware families, you they need to gather all the TTPs, vulnerabilities and indicators linked to those as well, and then follow and update these as they change and evolve.
Within a TIP, could be performed using a link analysis tool, but these are more typically used for just one actor or a few campaigns, rather than trying to analyze your entire threat landscape within one chart!
Fortunately, OpenCTI’s support for STIX 2.1, and its graph database, allows analysts to automate the creation of dashboards both to more accurately filter and triage the relevant threat intelligence that is ingested, but then also to automatically summarize the operational and tactical intelligence relating to the threats they’re tracking. This blog explains how.
Graph database and STIX 2.1 as an enabler
In the early days of Threat Intelligence Platforms, TIPs were mostly used as “IOC orchestrators”, rather than a repository of all threat intelligence knowledge. As such, earlier TIP databases were architected around “IOC streams” (such as IPs, Domains and Hashes), with context for Actors, Malware and Vulnerabilities ‘bolted on’ via simple links.
However, as the sophistication of threats have evolved, and the corresponding threat intelligence team processes have matured, the complexity of threat intelligence itself has become more nuanced.
As an example, the report below from Intel471 via Sekoia, loaded in OpenCTI, shows the link analysis graph of a strategic-level overview of a state-level threat actor, including the intrusion sets they are tracked by, the associated MITRE ATT&CK Techniques for each, tools and infrastructure each uses, and vulnerabilities that each targets – with each relationship being directional and time-bound. This is the kind of detail that STIX 2.1 preserves when receiving or sharing threat intelligence, and more threat intelligence vendors, ISACs and National CERTs are making use of these features when sharing intelligence via STIX/TAXII 2.1.
Similarly, OpenCTI’s Graph database supports the deduplication and ingest of these STIX bundles, again whilst preserving the nuanced relationships between different threat entities, which allows the creation of the dashboards below.
In contrast, a TIP with an older database architecture may be unable to maintain this context, and might, for example, flatten the relationships to bundle the actors, vulnerabilities, and TTPs as being all linked together under one report, or not track the nature of the relationships.
Building dashboards that leverage intelligence relationships
However, in OpenCTI, with all these relationships preserved and stored in OpenCTI’s Graph Database, we can use the Knowledge Graph perspective in our dashboard widget configuration to use those relationships in both our analysis filters, and our output statistics.
For example, let’s take the sector of Finance. There will have been many reports received about attacks against Financial Institutions, from which OpenCTI would ingested many reported threat actors, as well as the TTPs and malware they used.
So, let’s write a query to show the Threat Actors seen to have targeted Financial Organizations in the past three months, using this relationship structure.
In the OpenCTI widget filter builder, this looks like this:
As you can see, we’re defining:
- the Source as any actors (or intrusion sets)
- the Target as Finance (of type Sector), and
- the relationship as Targets.
If we view this as a tree diagram, we get these results.
Extending the relationship chain
But that’s just showing us the actors themselves. We’d like to automatically show the aggregated operational intelligence for those actors, such as the TTPs they use and vulnerabilities they target.
OK, so let’s extend this query, and show all the TTPs used by these threat actors seen to be targeting Finance in the past three months. To do this, we use the same filter conditions as before, but push these into just the source filter, and now add another relationship – we want to display the Attack Pattern the actor uses.
And so we add those as filter criteria:
In the filter editor, this filter looks like this:
If we display these as an aggregated list, we can see that, across all the actors targeting Finance right now, T1005 for data collection for exfiltration (rather than encryption) is the most commonly reported technique, followed by the TTPs that typically indicate powershell/shell execution (T1059), use of Mimikatz and its friends, (T1003), and also, user activity as a result of phishing (T1204) is still quite high.
The beauty of this approach is that, as new actors are reported as seen targeting the Finance sector, or others age out, then these statistics will be continuously updated.
Charting other metrics
Once we have this filter and widget created, then displaying other relationships is simply another ten seconds’ work – we duplicate the widget, and change the target type at the end of the relationship chain to another entity type.
So – if we want to display all the Vulnerabilities, then we change the Target Type from Attack Pattern to Vulnerability.
And now we have the top 10 vulnerabilities that are being targeted most frequently by threat actors targeting the finance sector.
We can keep doing this, until we have a custom dashboard that shows us all the key operational statistics about our threat landscape, in a single view.
What’s more, such top-down aggregate queries are natural fits for OpenCTI’s GraphDB, allowing a dashboard such as the one above to refresh all of the widgets running on a database built on hundreds of millions of ingested documents, in a few seconds.
Conclusion
The complexity of today’s threat landscape demands smarter tools and processes. OpenCTI, with its GraphDB backbone and robust support for STIX 2.1, provides the flexibility and depth needed to navigate the challenges of modern threat intelligence.
From automating data filtering to dynamically updating dashboards with operational insights, OpenCTI’s capabilities permit your CTI and SOC teams to delegate such analysis to the toolset so that they can focus on what truly matters—analyzing actionable intelligence and prioritizing defense efforts effectively.
By visualizing relationships between actors, TTPs, and vulnerabilities, you’re not just gaining a clearer picture—you’re building a foundation for data-driven decision-making. Whether you’re tracking sector-specific threats, identifying emerging attack patterns, or flagging critical vulnerabilities, these dashboards are designed to grow and adapt as your processes evolve.
Smarter dashboards lead to smarter defense. With OpenCTI, you’re no longer reacting to the deluge of information—you’re taking control of it.
Ready to take your threat intelligence workflows to the next level? Explore how you can implement these strategies today.
If you have any comment, question, feedback, connect with us on slack !
Read more
Explore related topics and insights