OpenCTI case management is ready for takeoff: what is available and what’s next
As part of our 2023 strategic roadmap, we’ve worked since January on the case management system within the OpenCTI platform.
This initiative comes from 2 simple statements:
- The CTI / DFIR / CSIRT teams have a constant need to handle “requests”, whether for investigation, incident handling, information or takedown.
- The already existing OpenCTI capabilities cover essential requirements in this area: observables, enrichment, sandboxes, TTPs, matrixes, timelines, graphs, workflows, assignments, notifications, etc.
Available features
Since OpenCTI 5.8.0, we have introduced 3 new types of entity:
- Case Incident: to handle all cyber operations, including both cybersecurity incidents and law-enforcement investigations.
- Case Request for Information: to handle requests about specific threats, whether internal or coming from partners and customers.
- Case Request for Takedown: to handle and follow all kinds of operations which require external communication.
What is a Case?
All cases are considered as “container” of knowledge in the platform, which means that in addition to attributes such as title, date, priority, severity, etc., a case can contain other entities such as attack patterns, intrusion sets, pieces of malware, observables, incidents / alerts, etc. and it is possible to create relationships between them, in the context of the case.
Like any other entity types, the cases support multiple built-in features.
Custom workflows with statuses
It is possible to configure workflows with customizable statuses and steps for each type of case, these workflows will be enhanced in the future to support enforcement, validation and groups restriction.
Mandatory / default / optional attributes
In the settings, all attributes can now have default values, be configured as mandatory and some of them support custom scales like confidence and reliability.
Assignees and participants (users)
A case can be assigned to one or multiple users in the platform. It is also possible to set participants, not directly responsible of the case but involved in associated tasks.
Notifications, triggers and digests
Cases can be used in triggers and digests to be alerted and monitor the activity. From OpenCTI 5.9, you can quickly subscribe to a case using the top right bell icon. Also, assignees and participants are automatically subscribed.
Discussions in the context of a case
In cases, like other entities, you can discuss and comment using the notes system. All notes can have labels, confidence levels and contain other entities if necessary.
Data and knowledge in a case
Beyond functional and technical features available in cases, OpenCTI provides out-of-the-box capabilities for cybersecurity analysts to visualize and enrich the case in various ways. For instance, it is possible to attach artifacts to a case and use all available enrichment connectors for sandboxes.
Graph and knowledge
To understand what’s going on in a case or a request for information, all the knowledge contained can be visualized in comprehensive graphs.
Attack pattern matrixes
Using the MITRE ATT&CK ontology or any other kill chain model and TTPs framework, it is possible to visualize the case in a matrix view.
Timelines and correlations
Other visualization such as timelines and correlations with other cases are available to ease the analyst work.
Tasks in cases
In OpenCTI, cases can be linked to tasks. A task can be assigned to multiple users and have some specific attributes such as due date and description. It is possible to create “case templates” with pre-defined tasks in the settings of the platform:
Then it is always possible to apply a template to a case, at creation or after.
Remaining work
Incident response
For incident response cases, a new type of connector will be introduced in the platform to handle “external actions” triggers. Using a subset of the case data such as endpoint name, observables, etc., it will allow for instance to trigger SOAR playbooks, quarantine actions in EDR, etc.
Requests for information and takedown
We plan multiple enhancements to automate the requests for takedown, especially reaching abuse contacts of registrars and service providers automatically resolved through enrichment.
For requests for information, the feature will be enhanced to have a better overview and follow-up for multi-teams, provider / customer activities. Especially, we would like to create a new capability allowing some users to only open RFIs and follow the RFIs of their own organization so full-fledged analysts can gather information in the case and provide the requester with a proper deliverable.
If you have any question, request, comment or feedback to share with us, don’t hesitate to join us on Slack!
Read more
Explore related topics and insights