Tooling

Threat Intelligence — MISP, OpenCTI, OTX

IOC sharing, threat feeds, and turning intel into detection.

Threat intelligence is the supply chain for detection. The 2024–26 reference: MISP for IOC sharing, OpenCTI for relationship modelling, AlienVault OTX as a free feed, GreyNoise / AbuseIPDB / VirusTotal for enrichment. For SIEM-side correlation see SIEM (Wazuh / Graylog). For incident response workflow see Incident Response (TheHive). For detection content see Detection (Sigma / YARA / ATT&CK). For OSINT specifically see OSINT & Recon.

CTI platforms (TIPs)

  • MISP (Malware Information Sharing Platform; CIRCL Luxembourg) — the reference open-source TIP; IOC sharing, taxonomies, galaxies, sightings, sync between communities. Free. Default for any blue-team building intel ops.
  • OpenCTI (Filigran) — graph-based threat-intel modelling; STIX 2.1 native; relationships first. Free OSS + paid Filigran-managed.
  • TheHive + MISP integration — see Incident Response; MISP feeds TheHive's observables.
  • Anomali ThreatStream — paid commercial TIP.
  • ThreatConnect — paid.
  • Mandiant Advantage — paid.
  • CrowdStrike Falcon Intelligence — paid.
  • Recorded Future — paid.

Free intelligence feeds

  • AlienVault OTX — community pulses; free; API-driven; LevelBlue (formerly AT&T Cybersecurity) maintained.
  • abuse.ch services:
    • MalwareBazaar — sample feed.
    • URLhaus — malicious URLs.
    • ThreatFox — IOC database.
    • Feodo Tracker — botnet C2.
    • SSL Blacklist (SSLBL) — known-bad TLS certs.
  • GreyNoise — "is this IP a noise scanner or a targeted threat?" Free + paid tiers.
  • AbuseIPDB — IP abuse reputation. Free + paid.
  • Spamhaus DROP / EDROP / DROPv6 — block-this-at-edge lists.
  • DigitalSide Threat-Intel — community feed.
  • CINSscore — IP reputation.
  • CIRCL OSINT feed.
  • VirusTotal — file / URL intel; free (limited) + paid.
  • MalwareDomainList / Phishtank — older but useful.
  • Mandiant, Recorded Future, CrowdStrike Falcon Intelligence, DomainTools, Flashpoint, Intel 471, SOCRadar, Cyble, KELA, Constella — premium curated; various depths and price points.
  • Group-IB, Palo Alto Unit 42, Microsoft Threat Intelligence Center (MSTIC) — vendor reports often public, full feeds paid.

STIX / TAXII

  • STIX 2.1 — structured threat info expression; the lingua franca.
  • TAXII 2.x — transport for STIX.
  • stix2 (Python) — official SDK.
  • OASIS CTI Technical Committee maintains both.

IOC management / pivot

  • IntelOwl (CERT-IT) — multi-source enrichment; free.
  • Cortex — see Incident Response; analyzers run against IOCs.
  • Maltego — graph pivots over OSINT + threat data.
  • VirusTotal Graph — paid; visual pivot over VT corpus.

ATT&CK / TTPs

  • ★ ★ MITRE ATT&CK — knowledge base of adversary TTPs; tactics × techniques × procedures matrix. Free. The reference vocabulary 2024–26.
  • Atomic Red Team — runnable techniques; see Detection (Sigma / YARA / ATT&CK).
  • CALDERA (MITRE) — automated adversary emulation.
  • MITRE ATT&CK Navigator — heatmap your detection coverage.
  • DeTT&CT — map detections to ATT&CK.

Patterns to adopt

  • Subscribe to abuse.ch + AlienVault OTX from day one. Free, hands-off, immediate value.
  • MISP only after you actually share — running a TIP without producing intel is overhead.
  • STIX/TAXII contracts — when sharing with partners / ISACs, formalise.
  • IOC half-life is short. Domain / IP IOCs go stale in days; hashes / TTPs live longer.
  • Pivot to ATT&CK techniques. "We block IP X" is fragile; "we detect technique T1003" is durable.

Pick this if…

  • Default IOC sharing platform: MISP.
  • Relationship-first / graph TIP: OpenCTI.
  • Free feed bundle, low effort: AlienVault OTX + abuse.ch + GreyNoise free + AbuseIPDB.
  • Paid premium: Recorded Future or Mandiant Advantage.
  • TTP knowledge base: MITRE ATT&CK.
  • Triage-side enrichment: IntelOwl + Cortex (with TheHive).

On this page