Imposing consequences on cyber adversaries — How we help the FBI to fight cybercrime

Since the beginning of the OpenCTI journey, we committed to two principles: contribute to increase the usage of open-source Cyber Threat Intelligence solutions by providing teams with a platform that offers both a technical and strategic perspective as well as a way for the defender community to structure and share knowledge about cyber adversaries and offensive operations.

In this context, we are proud that the Cyber Division of the United States Federal Bureau of Investigation (FBI) is contributing to this open-source project. Heading the national effort to investigate Internet crimes across the FBI’s 56 field offices throughout the country, this division of the FBI also uses the information it gathers during investigation to inform the public of current trends in cybercrime through FBI Flashes, FBI Private Industry Notifications (PINs) and joint statements designed to help cybersecurity professionals and system administrators’ guard against the persistent malicious actions of cyber actors.

Like multiple police forces in Europe, the FBI is working with the OpenCTI platform. In France, law-enforcement forces of the Ministry of Interior will soon have a centralized OpenCTI available to more than 10,000 cyber agents distributed in all regions.

Use cases

The integration of OpenCTI into a law enforcement operational framework represents a significant evolution in terms of knowledge management and threat analysis. The platform will be instrumental in several key areas:

• Organizing and analyzing cybercrime data: OpenCTI provides a structured approach to managing the vast amounts of data involved in cybercrime investigations, from technical information to attributes of the actors behind incidents. By collating and analyzing data from various sources, the platform will enable investigators to manage their cases, identify patterns and connections that might otherwise go unnoticed.

Multiple ransomware campaigns modeling

• Facilitating internal and external information sharing: Agencies with multiple departments and units will benefit from a streamlined process for sharing intelligence and best practices. This ensures that crucial information is accessible across the organization, fostering a more coordinated response to cyber threats. Further, the use of OpenCTI will facilitate effective collaboration and timely sharing of information with law enforcement and intelligence partners in other jurisdictions.
• Enhancing Response to Cyber Incidents: OpenCTI’s comprehensive intelligence capabilities such as automated reasoning, automation and advanced correlation, assist in investigations and will allow agencies to respond more quickly and effectively to cyber incidents. Also, the flexibility of generating KPIs as well as the advanced RBAC and segregation features will give investigators and analysts ways to analyze trends and anticipate future threats.

Partnership activities

Because OpenCTI is open source under the Apache 2.0 license, the FBI Cyber Division, the Filigran Product and Engineering teams, and contributors throughout the world are able to work side-by-side to make the platform even more robust and adapted to law enforcement needs. Without changing our strategic vision and roadmap for the platform, it also brings new capabilities to SecOps teams for cyber incident anticipation and mitigation.

In the spirit of co-design and of collaborative approach, OpenCTI is one of the first open-source software projects the FBI has actively contributed to. Some of their source code is already integrated into the platform, including improvements in UX design, classification management and threat actor tracking which allowed us to accelerate the delivery of the features they need in order to expand the platform internally.

FBI Cyber Division GitHub Organization

Seeing US federal agencies multiplying their initiatives to create or contribute to open-source projects is truly good news for our communities and the field as a whole. Beyond our partnership and the bi-lateral collaboration with the FBI, we are grateful for the valuable input on strategy and product roadmap from the teams at the MITRE Corporation and New York City Cyber Command that also use OpenCTI.

What next steps?

Looking ahead, the FBI’s use and involvement in OpenCTI is a positive step in a larger strategy aimed at improving cybercrime prevention and investigation in partnership with the information security community. Ensuring better information sharing and collaboration between government and private sector entities is a key component of the FBI’s Cyber strategy.

From Filigran’s side, we are committed to maintaining a consistent and innovative open-source platform for all organizations that rely on OpenCTI’s capabilities within their CERT, SOC or Threat Intelligence teams, while continuing to make a significant contribution to advancing the fight against cybercrime with other law-enforcement agencies around the world.

The increasing use of OpenCTI highlights the pivotal role of cyber threat intelligence in law enforcement’s approach to cybercrime. Through this powerful platform, law enforcement is enhancing its capabilities in cyber threat analysis, information sharing, and incident response. As we move forward, OpenCTI is set to play an increasingly critical role in shaping the future of cybercrime prevention and intelligence, both within the FBI and in the broader law enforcement community.

If you have any question, request, comment or feedback to share with us, don’t hesitate to join us on Slack or contact us here!