Threat intelligence is information about current threats that helps you make better security decisions. You don’t need a $100,000/year threat intel subscription — there are excellent free feeds covering malicious IPs, domains, file hashes, and vulnerability data. This guide shows you how to consume and operationalize free threat intelligence.
Types of Threat Intelligence
# Strategic: High-level trends (nation-state activity, ransomware groups)
# Tactical: Attack techniques, TTP (Tactics, Techniques, Procedures)
# Operational: Active campaigns, specific threat actors
# Technical: Indicators of Compromise (IOCs): IP addresses, domains, file hashes
# We'll focus on Technical TI (most actionable for defenders)Free Threat Intelligence Sources
# IP/Domain Reputation:
# AlienVault OTX: otx.alienvault.com (free API, millions of IOCs)
# Abuse.ch: abuse.ch (malware and C2 infrastructure)
# Emerging Threats: rules.emergingthreats.net (Suricata/Snort rules)
# Spamhaus: spamhaus.org (email and spam threat data)
# URLhaus: urlhaus.abuse.ch (malicious URLs)
# ThreatFox: threatfox.abuse.ch (IOCs for malware families)
# File Hash Reputation:
# VirusTotal: virustotal.com (multi-AV scanning, free API)
# MalwareBazaar: bazaar.abuse.ch (malware samples database)
# Vulnerability Intel:
# CISA KEV: cisa.gov/known-exploited-vulnerabilities-catalog
# NVD: nvd.nist.gov (CVE database)
# ExploitDB: exploit-db.com (public exploit database)Consuming Threat Intelligence with APIs
# AlienVault OTX - Python integration:
pip install OTXv2
from OTXv2 import OTXv2, IndicatorTypes
otx = OTXv2("YOUR_FREE_API_KEY") # Free at otx.alienvault.com
# Check if an IP is malicious:
def check_ip(ip_address):
try:
result = otx.get_indicator_details_full(IndicatorTypes.IPv4, ip_address)
pulses = len(result.get('general', {}).get('pulse_info', {}).get('pulses', []))
return {
'ip': ip_address,
'malicious': pulses > 0,
'pulse_count': pulses,
'country': result.get('general', {}).get('country_name', 'Unknown')
}
except Exception:
return {'ip': ip_address, 'malicious': False}
# Check a file hash:
result = otx.get_indicator_details_full(IndicatorTypes.FILE_HASH_MD5,
"31d6cfe0d16ae931b73c59d7e0c089c0")
print(result['general']['pulse_info'])Integrating Threat Feeds with Wazuh
# Wazuh CDB (Constant Database) lists for IOC blocking:
# Step 1: Download malicious IP list:
curl -o /var/ossec/etc/lists/malicious-ips "https://feodotracker.abuse.ch/downloads/ipblocklist.txt" | grep -v "^#" | awk '{print $1 ":malicious"}' > /var/ossec/etc/lists/malicious-ips
# Step 2: Configure Wazuh to use the list:
# ossec.conf:
# <ruleset>
# <list>etc/lists/malicious-ips</list>
# </ruleset>
# Step 3: Create rule that fires when connection matches IOC:
# <rule id="100100" level="12">
# <if_group>syscheck</if_group>
# <list field="srcip" lookup="match_key">etc/lists/malicious-ips</list>
# <description>Connection to known malicious IP from Feodo tracker</description>
# </rule>VirusTotal API for File Scanning
# Automatically scan uploaded files or suspicious hashes:
import vt
import asyncio
# Free API: 4 requests/minute, 500/day
async def scan_file(filepath):
async with vt.Client("YOUR_FREE_VT_API_KEY") as client:
with open(filepath, "rb") as f:
analysis = await client.scan_file_async(f)
while True:
result = await client.get_object_async(f"/analyses/{analysis.id}")
if result.status == "completed":
stats = result.stats
if stats["malicious"] > 3:
print(f"MALICIOUS: {stats['malicious']}/{sum(stats.values())} detections")
break
await asyncio.sleep(5)
asyncio.run(scan_file("suspicious_file.exe"))MITRE ATT&CK: Structured Threat Intelligence
# ATT&CK maps attacker techniques to tactics:
# attack.mitre.org - free, comprehensive
# Real usage: You find a Cobalt Strike beacon
# ATT&CK mapping:
# Execution: T1059.001 (PowerShell)
# Persistence: T1053.005 (Scheduled Task)
# C2: T1071.001 (Web Protocols)
# Exfiltration: T1048 (Exfil over Alternative Protocol)
# Use this to:
# 1. Search your SIEM logs for the other techniques in the same campaign
# 2. Identify detection gaps (do you have rules for T1053.005?)
# 3. Communicate clearly with management about what attackers did
# Free ATT&CK tooling:
# ATT&CK Navigator: attack.mitre.org/resources/attack-navigator
# Visualize your coverage/gaps against ATT&CK frameworkWrap Up
Free threat intelligence is more than adequate for most organizations. OTX for IOC lookups, Feodo tracker and URLhaus for feed-based blocking, VirusTotal for file reputation, and MITRE ATT&CK for technique-level understanding. The key is operationalizing the intelligence — getting it into your SIEM, firewall, and DNS blocking where it actually stops attacks.