Cybersecurity

How to setup a production ready OpenCTI and OpenBAS with all useful free plugins in you home lab

Glenn Fryklund

Glenn Fryklund

6 min read
How to setup a production ready OpenCTI and OpenBAS with all useful free plugins in you home lab
Photo by Thomas Jensen / Unsplash

How to Setup a Production-Ready OpenCTI and OpenBAS with All Useful Free Plugins in Your Home Lab

Mastering open-source cybersecurity threat intelligence and breach simulation with practical, step-by-step guidance

---

Introduction

In the evolving landscape of cybersecurity, staying ahead of threats requires not only reactive defenses but proactive intelligence and simulation capabilities. OpenCTI (Open Cyber Threat Intelligence) and OpenBAS (Open-source Breach and Attack Simulation) together offer a powerful open-source stack to collect, analyze, and simulate cyber threats. Setting up these platforms in a home lab environment allows security professionals and enthusiasts to experiment, learn, and prepare for real-world scenarios.

This tutorial guides you through setting up production-ready OpenCTI and OpenBAS instances using Docker, enriched with useful free plugins. You’ll learn about system prerequisites, installation, configuration, security hardening, and integration best practices to build a performant and secure lab environment.

Whether you are a SOC analyst, threat hunter, or cybersecurity researcher, this comprehensive how-to will empower you with a functional, scalable, and maintainable threat intelligence and attack simulation lab.

---

Table of Contents

1. Understanding OpenCTI and OpenBAS
2. Preparing Your Home Lab Environment
3. Installing OpenCTI: Step-by-Step
4. Installing OpenBAS: Step-by-Step
5. Configuring Useful Free Plugins and Connectors
6. Security Hardening and Best Practices
7. Troubleshooting Common Issues
8. Performance Benchmarking and Monitoring
9. Integrating OpenCTI and OpenBAS with Your Security Stack
10. Conclusion and Next Steps

---

Understanding OpenCTI and OpenBAS

What is OpenCTI?

OpenCTI is an open-source platform designed to collect, store, visualize, and share cyber threat intelligence (CTI). It centralizes intelligence from multiple sources and structures it for analysis and operational use by security teams. Key components include Elasticsearch for indexing, Redis for caching, RabbitMQ for messaging, and MinIO for object storage.

OpenCTI supports connectors that automate the ingestion of threat data feeds and integrations with other tools like MISP, allowing flexible and scalable threat intelligence workflows.

What is OpenBAS?

OpenBAS is an open-source Breach and Attack Simulation (BAS) platform that allows organizations to simulate real-world cyber-attacks and crisis exercises. It leverages the MITRE ATT&CK framework to model adversary tactics and techniques, enabling security teams to test detection, response, and awareness capabilities realistically.

With modules for phishing simulations, tabletop exercises, and detailed analytics, OpenBAS helps organizations assess their security posture comprehensively.

---

Preparing Your Home Lab Environment

System Requirements

For a smooth production-like experience running both OpenCTI and OpenBAS, your home lab should meet the following:

| Component | Minimum | Recommended |
|--------------------|-------------------|----------------------|
| Operating System | Ubuntu 20.04+ LTS | Ubuntu 22.04/24.04 LTS |
| CPU | 4 cores | 8 cores |
| RAM | 8 GB | 16+ GB |
| Storage | 50 GB SSD | 100 GB+ SSD |
| Network | Stable internet | Gigabit LAN |

Software Prerequisites

- Docker Engine (version 20.10+)
- Docker Compose (version 2.0+)
- Git (for cloning repositories)
- curl, nano (command-line utilities)

These tools will allow containerized deployment and easy management.

---

Installing OpenCTI: Step-by-Step

OpenCTI deployment is centered around Docker Compose, which manages multiple containers.

Step 1: Prepare Ubuntu

Update and install essential packages:

sudo apt update && sudo apt -y upgrade
sudo apt install -y curl ca-certificates gnupg lsb-release ethtool
sudo timedatectl set-timezone Etc/UTC

Step 2: Install Docker and Docker Compose

Remove any old Docker packages and install the latest Docker:

for pkg in docker.io docker-doc docker-compose docker-compose-v2 podman-docker containerd runc; do sudo apt -y remove $pkg || true; done
sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo tee /etc/apt/keyrings/docker.gpg > /dev/null
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt update
sudo apt install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin
sudo usermod -aG docker $USER
newgrp docker

Verify installation:

docker --version
docker compose version

Step 3: Configure Kernel for Elasticsearch

Elasticsearch requires a higher vm.max_map_count value:

sudo sysctl -w vm.max_map_count=1048575
echo "vm.max_map_count=1048575" | sudo tee -a /etc/sysctl.conf

Step 4: Clone OpenCTI Repository

mkdir -p ~/opencti && cd ~/opencti
git clone https://github.com/OpenCTI-Platform/docker.git
cd docker

Step 5: Configure Environment Variables

Copy the sample environment file and edit:

cp .env.sample .env
nano .env

Key variables to configure:

- OPENCTI_ADMIN_EMAIL — Your admin email
- OPENCTI_ADMIN_PASSWORD — Strong password
- MINIO_ROOT_USER and MINIO_ROOT_PASSWORD — For object storage
- RABBITMQ_DEFAULT_USER and RABBITMQ_DEFAULT_PASS — For messaging queue

Generate an admin token and add it to .env:

UUID=$(uuidgen)
sed -i "s/^OPENCTI_ADMIN_TOKEN=.*/OPENCTI_ADMIN_TOKEN=$UUID/" .env

Step 6: Start the OpenCTI Stack

Launch containers:

docker compose up -d

Check running containers:

docker compose ps

Step 7: Access OpenCTI Web Interface

Open your browser to:

http://:8080

Login with the credentials set in .env.

---

Installing OpenBAS: Step-by-Step

OpenBAS is also deployed via Docker Compose and integrates smoothly with OpenCTI.

Step 1: System Preparation

Ensure Docker and Docker Compose are installed as above.

Step 2: Clone OpenBAS Repository

git clone https://github.com/OpenBAS-Platform/openbas.git
cd openbas

Step 3: Configure Environment Variables

Copy and edit the .env file:

cp .env.example .env
nano .env

Important parameters to edit:

POSTGRES_USER=admin
POSTGRES_PASSWORD=YourStrongPassword123!
POSTGRES_DB=openbas
SPRING_DATASOURCE_URL=jdbc:postgresql://postgres:5432/openbasSPRING_DATASOURCE_USERNAME=adminSPRING_DATASOURCE_PASSWORD=YourStrongPassword123!SPRING_JPA_HIBERNATE_DDL_AUTO=none
MINIO_ROOT_USER=adminMINIO_ROOT_PASSWORD=YourStrongPassword123!
RABBITMQ_DEFAULT_USER=adminRABBITMQ_DEFAULT_PASS=YourStrongPassword123!
ELASTIC_MEMORY_SIZE=4G

Use valid email domains (avoid .local).

Step 4: Deploy OpenBAS

Start services:

docker compose up -d
docker compose logs -f openbas

Step 5: Verify Installation

Check container statuses:

docker compose ps

Look for “Started App” in logs:

docker compose logs openbas | grep "Started App"

Step 6: First Login and Setup

Access OpenBAS UI:

http://your-server-ip:8080

Login with admin email and password set earlier.

---

Configuring Useful Free Plugins and Connectors

OpenCTI Connectors

Connectors automate data ingestion from threat intelligence feeds and other tools.

- MISP Connector: Ingests threat data from MISP (Malware Information Sharing Platform).
- MITRE ATT&CK Connector: Pulls ATT&CK framework data for mapping adversary tactics.
- OpenCTI Threat Feed Connectors: Integrate open feeds like AlienVault OTX, Abuse.ch, etc.

Enable connectors by setting environment variables in .env:

CONNECTOR_MISP_ENABLED=true
CONNECTOR_MISP_URL=https://misp-instance/api
CONNECTOR_MISP_API_KEY=yourapikey

OpenBAS Plugins and Integrations

- MITRE ATT&CK Integration: Built-in, enabling realistic attack scenario simulation.
- Phishing Simulation Module: Use built-in templates to run phishing campaigns.
- SIEM Integration: Forward logs to Splunk, Elastic SIEM, or Microsoft Sentinel.
- OpenCTI Integration: Export simulation results to OpenCTI for correlation.

---

Security Hardening and Best Practices

Use Strong Credentials

Ensure all passwords and tokens are complex and stored securely.

Enable HTTPS

Use a reverse proxy like Nginx with Let’s Encrypt certificates to secure web interfaces.

Example Nginx snippet:

server {
    listen 443 ssl;
    server_name opencti.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/opencti.yourdomain.com/fullchain.pem;    ssl_certificate_key /etc/letsencrypt/live/opencti.yourdomain.com/privkey.pem;

Network Segmentation

Deploy OpenCTI and OpenBAS on an isolated network segment or VLAN to limit exposure.

Regular Backups

Automate database and configuration backups:

docker exec -t openbas_postgres pg_dumpall -c -U admin > openbas_backup_$(date +%F).sql

Updates

Regularly pull latest Docker images and update:

docker compose pull
docker compose up -d

---

Troubleshooting Common Issues

Elasticsearch Crashes

- Check vm.max_map_count kernel setting.
- Review Elasticsearch container logs for memory errors.

Database Authentication Failures

Ensure PostgreSQL and app credentials match in .env.

Email Validation Errors in OpenBAS

Use valid email domains; avoid .local.

Container Health Check Failures

Check resource availability, network connectivity, and port conflicts.

---

Performance Benchmarking and Monitoring

Monitor container resource usage:

docker stats

Use tools like Prometheus and Grafana to set up dashboards for:

- CPU, RAM usage
- Elasticsearch health
- RabbitMQ queue size

Optimize PostgreSQL and Elasticsearch configurations based on workload.

---

Integrating OpenCTI and OpenBAS with Your Security Stack

- OpenCTI + MISP: Combine structured CTI with community sharing.
- OpenBAS + SIEM: Forward simulation logs to Splunk or Elastic for correlation.
- OpenBAS + OpenCTI: Export attack simulation data to OpenCTI to enrich threat intelligence.
- Automation: Use APIs to integrate with SOAR tools for automated incident response.

---

Conclusion and Next Steps

Setting up a production-grade OpenCTI and OpenBAS environment in your home lab is a powerful way to build hands-on cybersecurity expertise. By following this guide, you've deployed scalable, secure platforms that provide rich threat intelligence and realistic attack simulations.

Next steps include:

- Exploring OpenCTI connectors and OpenBAS simulation scenario customization.
- Integrating with SIEM and SOAR tools in your lab.
- Building automated workflows for threat detection and response.
- Regularly updating and backing up your environment.

Enjoy building your proactive cybersecurity lab!

---

References

- OpenCTI Installation Guide - Netwerk_LABS
- Installing OpenBAS - Netwerk_LABS
- OpenBAS Overview - Help Net Security

---

This blog post uses detailed research and real-world installation experience to provide a comprehensive tutorial on setting up OpenCTI and OpenBAS with useful free plugins in a home lab.

Read more