analyzing-threat-intelligence-feeds
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseAnalyzing Threat Intelligence Feeds
威胁情报源分析
When to Use
使用场景
Use this skill when:
- Ingesting new commercial or OSINT threat feeds and assessing their signal-to-noise ratio
- Normalizing heterogeneous IOC formats (STIX 2.1, OpenIOC, YARA, Sigma) into a unified schema
- Evaluating feed freshness, fidelity, and relevance to the organization's threat profile
- Building automated enrichment pipelines that correlate IOCs against SIEM events
Do not use this skill for raw packet capture analysis or live incident triage without first establishing a CTI baseline.
在以下场景中使用本技能:
- 导入新的商业或OSINT威胁情报源并评估其信噪比
- 将异构IOC格式(STIX 2.1、OpenIOC、YARA、Sigma)标准化为统一架构
- 评估情报源的新鲜度、可信度以及与组织威胁画像的相关性
- 构建自动化富集管道,将IOC与SIEM事件关联
请勿使用本技能进行原始数据包捕获分析或实时事件分诊,除非已建立CTI基线。
Prerequisites
前置条件
- Access to a Threat Intelligence Platform (TIP) such as ThreatConnect, MISP, or OpenCTI
- API keys for at least one commercial feed (Recorded Future, Mandiant Advantage, or VirusTotal Enterprise)
- TAXII 2.1 client library (taxii2-client Python package or equivalent)
- Role with read/write permissions to the TIP's indicator database
- 访问威胁情报平台(TIP),如ThreatConnect、MISP或OpenCTI
- 至少一个商业情报源的API密钥(Recorded Future、Mandiant Advantage或VirusTotal Enterprise)
- TAXII 2.1客户端库(taxii2-client Python包或同类工具)
- 拥有TIP指标数据库的读写权限角色
Workflow
工作流程
Step 1: Enumerate and Prioritize Feed Sources
步骤1:枚举并优先排序情报源
List all available feeds categorized by type (commercial, government, ISAC, OSINT):
- Commercial: Recorded Future, Mandiant Advantage, CrowdStrike Falcon Intelligence
- Government: CISA AIS (Automated Indicator Sharing), FBI InfraGard, MS-ISAC
- OSINT: AlienVault OTX, Abuse.ch, PhishTank, Emerging Threats
Score each feed on: update frequency, historical accuracy rate, coverage of your sector, and attribution depth. Use a weighted scoring matrix with criteria from NIST SP 800-150 (Guide to Cyber Threat Information Sharing).
按类型(商业、政府、ISAC、OSINT)列出所有可用情报源:
- 商业:Recorded Future、Mandiant Advantage、CrowdStrike Falcon Intelligence
- 政府:CISA AIS(自动化指标共享)、FBI InfraGard、MS-ISAC
- OSINT:AlienVault OTX、Abuse.ch、PhishTank、Emerging Threats
根据以下维度为每个情报源打分:更新频率、历史准确率、行业覆盖范围以及归因深度。使用NIST SP 800-150(网络威胁情报共享指南)中的标准构建加权评分矩阵。
Step 2: Ingest via TAXII 2.1 or API
步骤2:通过TAXII 2.1或API导入
For TAXII-enabled feeds:
taxii2-client discover https://feed.example.com/taxii/
taxii2-client get-collection --collection-id <id> --since 2024-01-01For REST API feeds (e.g., Recorded Future):
- Query with
/v2/indicator/searchto filter low-confidence IOCsrisk_score_min=65 - Apply rate limiting and exponential backoff for API resilience
对于支持TAXII的情报源:
taxii2-client discover https://feed.example.com/taxii/
taxii2-client get-collection --collection-id <id> --since 2024-01-01对于REST API情报源(如Recorded Future):
- 使用查询
risk_score_min=65以过滤低可信度IOC/v2/indicator/search - 应用速率限制和指数退避机制以提升API韧性
Step 3: Normalize to STIX 2.1
步骤3:标准化为STIX 2.1格式
Convert each IOC to STIX 2.1 objects using the OASIS standard schema:
- IP address → object with
indicatorpattern: "[ipv4-addr:value = '...']" - Domain → with
indicatorpattern: "[domain-name:value = '...']" - File hash → with
indicatorpattern: "[file:hashes.SHA-256 = '...']"
Attach objects linking indicators to or objects. Use field (0–100) based on source fidelity rating.
relationshipthreat-actormalwareconfidence使用OASIS标准架构将每个IOC转换为STIX 2.1对象:
- IP地址 → 对象,格式为
indicatorpattern: "[ipv4-addr:value = '...']" - 域名 → 对象,格式为
indicatorpattern: "[domain-name:value = '...']" - 文件哈希 → 对象,格式为
indicatorpattern: "[file:hashes.SHA-256 = '...']"
添加对象,将指标与或对象关联。根据情报源的可信度评级设置字段(0–100)。
relationshipthreat-actormalwareconfidenceStep 4: Deduplicate and Enrich
步骤4:去重与富集
Run deduplication against existing TIP database using normalized value + type as composite key. Enrich surviving IOCs:
- VirusTotal: detection ratio, sandbox behavior reports
- PassiveTotal (RiskIQ): WHOIS history, passive DNS, SSL certificate chains
- Shodan: banner data, open ports, geographic location
以标准化值+类型为复合键,与现有TIP数据库进行去重。对留存的IOC进行富集:
- VirusTotal:检测率、沙箱行为报告
- PassiveTotal(RiskIQ):WHOIS历史、被动DNS、SSL证书链
- Shodan: banner数据、开放端口、地理位置
Step 5: Distribute to Consuming Systems
步骤5:分发至消费系统
Export enriched indicators via TAXII 2.1 push to SIEM (Splunk, Microsoft Sentinel), firewalls (Palo Alto XSOAR playbooks), and EDR platforms. Set TTL (time-to-live) per indicator type: IP addresses 30 days, domains 90 days, file hashes 1 year.
通过TAXII 2.1推送将富集后的指标导出至SIEM(Splunk、Microsoft Sentinel)、防火墙(Palo Alto XSOAR剧本)和EDR平台。根据指标类型设置TTL(生存时间):IP地址30天,域名90天,文件哈希1年。
Key Concepts
核心概念
| Term | Definition |
|---|---|
| STIX 2.1 | Structured Threat Information Expression — OASIS standard JSON schema for CTI objects including indicators, threat actors, campaigns, and relationships |
| TAXII 2.1 | Trusted Automated eXchange of Intelligence Information — HTTPS-based protocol for sharing STIX content between servers and clients |
| IOC | Indicator of Compromise — observable artifact (IP, domain, hash, URL) that indicates a system may have been breached |
| TLP | Traffic Light Protocol — color-coded classification (RED/AMBER/GREEN/WHITE) defining sharing restrictions for CTI |
| Confidence Score | Numeric value (0–100 in STIX) reflecting the producer's certainty about an indicator's malicious attribution |
| Feed Fidelity | Historical accuracy rate of a feed measured by true positive rate in production detections |
| 术语 | 定义 |
|---|---|
| STIX 2.1 | 结构化威胁信息表达式——OASIS标准JSON架构,用于表示CTI对象,包括指标、威胁 actor、活动和关系 |
| TAXII 2.1 | 可信自动化情报交换——基于HTTPS的协议,用于在服务器与客户端之间共享STIX内容 |
| IOC | 入侵指标——可观测的人工制品(IP、域名、哈希、URL),表明系统可能已被入侵 |
| TLP | 流量灯协议——颜色编码分类(RED/AMBER/GREEN/WHITE),定义CTI的共享限制 |
| Confidence Score | 置信度分数——STIX中0–100的数值,反映生产者对指标恶意归因的确定程度 |
| Feed Fidelity | 情报源可信度——通过生产环境中的真阳性率衡量的情报源历史准确率 |
Tools & Systems
工具与系统
- ThreatConnect TC Exchange: Aggregates 100+ commercial and OSINT feeds; provides automated playbooks for IOC enrichment
- MISP (Malware Information Sharing Platform): Open-source TIP supporting STIX/TAXII; widely used by ISACs and government CERTs
- OpenCTI: Open-source platform with native MITRE ATT&CK integration and graph-based relationship visualization
- Recorded Future: Commercial feed with AI-powered risk scoring and real-time dark web monitoring
- taxii2-client: Python library for TAXII 2.0/2.1 client operations (pip install taxii2-client)
- PyMISP: Python API for MISP feed management and IOC submission
- ThreatConnect TC Exchange:聚合100+商业和OSINT情报源;提供IOC富集的自动化剧本
- MISP(恶意软件信息共享平台):支持STIX/TAXII的开源TIP;被ISAC和政府CERT广泛使用
- OpenCTI:开源平台,原生集成MITRE ATT&CK,支持基于图的关系可视化
- Recorded Future:商业情报源,具备AI驱动的风险评分和实时暗网监控功能
- taxii2-client:用于TAXII 2.0/2.1客户端操作的Python库(pip install taxii2-client)
- PyMISP:用于MISP情报源管理和IOC提交的Python API
Common Pitfalls
常见陷阱
- IOC age staleness: IP addresses and domains rotate frequently; applying 1-year-old IOCs generates false positives. Enforce TTL policies.
- Missing context: Blocking an IOC without understanding the associated campaign or adversary can disrupt legitimate business traffic (e.g., CDN IPs shared with malicious actors).
- Feed overlap without deduplication: Ingesting the same IOC from five feeds without deduplication inflates indicator counts and SIEM rule complexity.
- TLP violation: Redistributing RED-classified intelligence outside authorized boundaries violates sharing agreements and trust relationships.
- Over-blocking on low-confidence indicators: Indicators with confidence below 50 should trigger detection-only rules, not blocking, to avoid operational disruption.
- IOC时效性过期:IP地址和域名轮换频繁;应用1年前的IOC会产生误报。需强制执行TTL策略。
- 缺失上下文:在不了解相关活动或对手的情况下阻止IOC,可能会中断合法业务流量(例如,与恶意 actor共享的CDN IP)。
- 情报源重叠未去重:从五个情报源导入同一IOC却未去重,会导致指标数量膨胀并增加SIEM规则复杂度。
- TLP违规:在授权边界外重新分发RED级别的情报,违反共享协议和信任关系。
- 过度阻止低置信度指标:置信度低于50的指标应触发仅检测规则,而非阻止规则,以避免业务中断。