Threat Intelligence — MISP, OpenCTI, OTX
IOC sharing, threat feeds, and turning intel into detection.
Threat intelligence is the supply chain for detection. The 2024–26 reference: MISP for IOC sharing, OpenCTI for relationship modelling, AlienVault OTX as a free feed, GreyNoise / AbuseIPDB / VirusTotal for enrichment. For SIEM-side correlation see SIEM (Wazuh / Graylog). For incident response workflow see Incident Response (TheHive). For detection content see Detection (Sigma / YARA / ATT&CK). For OSINT specifically see OSINT & Recon.
CTI platforms (TIPs)
- ★ MISP (Malware Information Sharing Platform; CIRCL Luxembourg) — the reference open-source TIP; IOC sharing, taxonomies, galaxies, sightings, sync between communities. Free. Default for any blue-team building intel ops.
- ★ OpenCTI (Filigran) — graph-based threat-intel modelling; STIX 2.1 native; relationships first. Free OSS + paid Filigran-managed.
- TheHive + MISP integration — see Incident Response; MISP feeds TheHive's observables.
- Anomali ThreatStream — paid commercial TIP.
- ThreatConnect — paid.
- Mandiant Advantage — paid.
- CrowdStrike Falcon Intelligence — paid.
- Recorded Future — paid.
Free intelligence feeds
- ★ AlienVault OTX — community pulses; free; API-driven; LevelBlue (formerly AT&T Cybersecurity) maintained.
- ★ abuse.ch services:
- MalwareBazaar — sample feed.
- URLhaus — malicious URLs.
- ThreatFox — IOC database.
- Feodo Tracker — botnet C2.
- SSL Blacklist (SSLBL) — known-bad TLS certs.
- GreyNoise — "is this IP a noise scanner or a targeted threat?" Free + paid tiers.
- AbuseIPDB — IP abuse reputation. Free + paid.
- Spamhaus DROP / EDROP / DROPv6 — block-this-at-edge lists.
- DigitalSide Threat-Intel — community feed.
- CINSscore — IP reputation.
- CIRCL OSINT feed.
- VirusTotal — file / URL intel; free (limited) + paid.
- MalwareDomainList / Phishtank — older but useful.
Paid commercial feeds
- Mandiant, Recorded Future, CrowdStrike Falcon Intelligence, DomainTools, Flashpoint, Intel 471, SOCRadar, Cyble, KELA, Constella — premium curated; various depths and price points.
- Group-IB, Palo Alto Unit 42, Microsoft Threat Intelligence Center (MSTIC) — vendor reports often public, full feeds paid.
STIX / TAXII
- STIX 2.1 — structured threat info expression; the lingua franca.
- TAXII 2.x — transport for STIX.
- stix2 (Python) — official SDK.
- OASIS CTI Technical Committee maintains both.
IOC management / pivot
- IntelOwl (CERT-IT) — multi-source enrichment; free.
- Cortex — see Incident Response; analyzers run against IOCs.
- Maltego — graph pivots over OSINT + threat data.
- VirusTotal Graph — paid; visual pivot over VT corpus.
Sandbox feeds (link)
- See Malware Analysis (Sandbox) — ANY.RUN, Hybrid Analysis, VirusTotal feed back.
ATT&CK / TTPs
- ★ ★ MITRE ATT&CK — knowledge base of adversary TTPs; tactics × techniques × procedures matrix. Free. The reference vocabulary 2024–26.
- Atomic Red Team — runnable techniques; see Detection (Sigma / YARA / ATT&CK).
- CALDERA (MITRE) — automated adversary emulation.
- MITRE ATT&CK Navigator — heatmap your detection coverage.
- DeTT&CT — map detections to ATT&CK.
Detection content (link)
- See Detection (Sigma / YARA / ATT&CK) — Sigma rules, YARA rules, Suricata / Snort signatures.
Patterns to adopt
- ★ Subscribe to abuse.ch + AlienVault OTX from day one. Free, hands-off, immediate value.
- MISP only after you actually share — running a TIP without producing intel is overhead.
- STIX/TAXII contracts — when sharing with partners / ISACs, formalise.
- IOC half-life is short. Domain / IP IOCs go stale in days; hashes / TTPs live longer.
- Pivot to ATT&CK techniques. "We block IP X" is fragile; "we detect technique T1003" is durable.
Pick this if…
- Default IOC sharing platform: MISP.
- Relationship-first / graph TIP: OpenCTI.
- Free feed bundle, low effort: AlienVault OTX + abuse.ch + GreyNoise free + AbuseIPDB.
- Paid premium: Recorded Future or Mandiant Advantage.
- TTP knowledge base: MITRE ATT&CK.
- Triage-side enrichment: IntelOwl + Cortex (with TheHive).