OpenCTI organizations restriction and sharing
One of the main goals of the OpenCTI platform is to disseminate knowledge with a maximum level of control on who can access to pieces of information. Taking this challenge is harder than people usually thinks when it comes to implement it at all levels (user interfaces, APIs, TAXII feeds, CSV feeds, real time streams etc.) and ensure the consistency requirements of the STIX graph model over time.
Since the beginning, data in OpenCTI is segregated based on knowledge marking. Basically, entities and relationships are associated to “marking definitions” and groups of users are granted to access them or not, taking into account hierarchy by marking type (from TLP:CLEAR to TLP:RED for instance).
Being able to structure the handling of data through the use of data markings is vital for organizations who share cyber threat intelligence (CTI). This benefit allows STIX producers to limit the accessibility of objects and also communicates terms of use and copyright information (source: Oasis-Open).
Based on the STIX 2.1 standard, OpenCTI users are able to “mark” pieces of data, usually using Traffic Light Protocol (TLP) but also free to create and apply custom markings. Then, to be allowed to read the information, a user needs to be granted to ALL markings.
For instance, if an indicator is marked with TLP:AMBER and CLASSIFICATION:TOP-SECRET, the user must be at least granted to those 2 markings to have access to the data.
The diagram above shows how OpenCTI link the information in order to grant data to a user.
This approach perfectly works for a single organization which shares CTI internally or when restricted knowledge is not shared at all with third parties. But what about distributing data to multiple organizations?
Indeed, multiple community members have started to leverage OpenCTI as a global sharing platform, using one single instance to aggregate / classify all useful pieces of information and then distribute a subset of this knowledge to specific subsidiaries, partners and customers.
The schema above describes a really simple use case about sharing capabilities needed by multiple organizations in the OpenCTI community. Obviously, this kind of data sharing should work both in a single OpenCTI platform or across multiple synchronized applications.
Organizations sharing
To support this specific use case we’ve added a new security layer on top of the marking definition segregation that brings more power to OpenCTI without changing the default behavior of the platform.
Thus, to be able to support it, OpenCTI 5.4 branch introduced multiple features and concepts so organizations are now able to:
- link platform users to STIX identities (organizations)
- link any STIX object or relationship to organization through a new “granted_refs” nested reference.
- add a new “global platform organization” parameter to handle the visibility of the data without organization restrictions.
OpenCTI new organizations segregation capabilities
Thanks to this new “global platform organization” parameter, OpenCTI users will not see any difference after the platform upgrade. Then, they will be able to setup proper configuration and organizations segregation to deploy the data sharing policy which matches their needs.
To give you a better idea of how it works, let’s configure OpenCTI to support the use case of this blog post: a central CTI team that would like to share different pieces of information to the Police and Fire departements.
Global information restriction
The first action to be taken by the CTI team will be to restrict all currently available data in the platform to the CTI Team itself. Therefore, Police and Fire departments will not be able to consult / consume any information before the CTI Team explicity decides to share information with them.
Putting in place this restriction is quiet simple, the CTI Team needs to define the organization that is currently responsible of the platform and then setup the “platform organization” parameter in platform settings.
As soon as they configure this option, 2 restrictions will apply:
– All OpenCTI users that are not part of any organization will not be able to login anymore.
– All OpenCTI users belonging to an organization different from the “CTI Team” will be able to login but will not have access to any data.
Data sharing pickup
Now that all data in the platform is restricted to the CTI team, its members need to explicity share some content with other organizations. This capability is only available to platform organization users with the correct granted role “Restrict group access”.
For example to share a specific report, the CTI team will need to open the report and then click on sharing button located on the top bar.
This button will open a layer where they will be able to select the target sharing organization.
After validation, a background task will be launched to take care of all underlying technical impacts. Obvously, it is also possible to unshare the report or any information in the platform.
(!) Sharing a container (like a report or a grouping) will automatically share all entities and relationships (references) it contains.
Reminder
Organization sharing capability is built on top of other restrictions. It has been designed to work alonside the current marking definition segregation. Therefore, sharing a “TLP:RED report” with the Police department will be only accessible to the Police department users who can actually access to TLP:RED content.
We hope this blog post has helped you to understand the organization sharing feature and how to start working with it.
If you have any questions or some ideas to improve the OpenCTI platform, there are multiple ways to reach the Filigran team. The simplest one is certainly to join the Slack community channel and start to discuss with more than 2K people or just send us an email to contact@filigran.io.
Read more
Explore related topics and insights