OpenCTI and Free Threat Intelligence: Build a CTI Program from Scratch

OpenCTI (Open Cyber Threat Intelligence) is a free, open-source platform that organizes threat intelligence using the STIX 2.1 standard. It lets you store, analyze, and share data about threat actors, campaigns, malware, attack patterns, and indicators of compromise. Used by NATO, Airbus, and hundreds of CERTs worldwide, OpenCTI rivals paid platforms like Recorded Future and ThreatConnect in capabilities — at zero cost.

What is Threat Intelligence?

Threat intelligence is knowledge about threats — specifically, actionable knowledge that helps you make better security decisions. Good threat intel answers questions like: “Who is targeting my industry right now? What malware are they using? What domains should I block? How do I detect this specific attacker in my environment?”

Without threat intelligence, security teams respond to every alert in isolation. With good threat intel, you can proactively block known attacker infrastructure, hunt for specific TTPs, and prioritize patches based on active exploitation in the wild.

Free Threat Intelligence Sources

Source	Type	URL/Access
MITRE ATT&CK	Adversary TTPs	attack.mitre.org (free)
AlienVault OTX	IoCs (IPs, domains, hashes)	otx.alienvault.com (free)
VirusTotal	File/URL/IP analysis	virustotal.com (free tier)
AbuseIPDB	Malicious IP reports	abuseipdb.com (free tier)
Shodan	Internet-exposed assets	shodan.io (free tier)
URLhaus	Malware distribution URLs	urlhaus.abuse.ch (free)
CISA Known Exploited	Actively exploited CVEs	cisa.gov/known-exploited-vulnerabilities (free)
Threatfox	Malware IoCs	threatfox.abuse.ch (free)
OpenCTI	Full CTI platform	github.com/OpenCTI-Platform (free + self-hosted)

Installing OpenCTI

# Requirements: 8GB RAM, Docker, Docker Compose
# Full install time: about 30 minutes

# Clone repository
git clone https://github.com/OpenCTI-Platform/docker.git opencti-docker
cd opencti-docker

# Configure environment
cp .env.sample .env
nano .env  # Set OPENCTI_ADMIN_EMAIL, OPENCTI_ADMIN_PASSWORD, etc.

# Generate UUIDs for tokens
cat /proc/sys/kernel/random/uuid  # Run this 3x for 3 different tokens

# Start OpenCTI
docker-compose up -d

# Access at http://localhost:8080
# Default: admin@opencti.io / OPENCTI_ADMIN_PASSWORD

# Check all services are running
docker-compose ps

# View logs
docker-compose logs -f opencti

Connecting Free Intelligence Feeds

# OpenCTI uses "connectors" to import threat intel
# Navigate to: Data > Import > Connectors

# Enable these free connectors:

# 1. MITRE ATT&CK (built-in, provides adversary TTPs)
# Settings > MITRE ATT&CK Connector > Activate

# 2. AlienVault OTX
# Get free API key at: https://otx.alienvault.com/api
CONNECTOR_ID=OTX_CONNECTOR_UUID
OTX_API_KEY=your_api_key_here

# 3. CISA Known Exploited Vulnerabilities
# Settings > CISA KEV Connector > Activate (no API key needed)

# 4. Abuse.ch (URLhaus, ThreatFox, MalwareBazaar)
# Connector automatically imports daily feeds

# 5. Manual feed import (STIX bundles)
# Data > Import > Upload STIX 2.1 file

Using OpenCTI for Threat Analysis

Investigating an IP Address

# OpenCTI API: Search for an IP address
curl -X POST http://opencti:8080/graphql   -H "Authorization: Bearer YOUR_API_TOKEN"   -H "Content-Type: application/json"   -d '{
    "query": "{ stixCyberObservables(filters: [{key: "value", values: ["185.220.101.45"]}]) { edges { node { id entity_type ... on IPv4Addr { value } } } } }"
  }'

# Get threat actors associated with an IP
# Use OpenCTI Graph Investigation:
# 1. Search for IP address
# 2. Click "Graph"
# 3. Expand relationships: Campaign, Threat Actor, Malware, Indicator

Python Integration: Automated IoC Enrichment

# Install OpenCTI Python SDK
pip3 install pycti

# Example: Check if an IP is a known IoC in OpenCTI
from pycti import OpenCTIApiClient
import json

client = OpenCTIApiClient(
    url="http://localhost:8080",
    token="YOUR_API_TOKEN"
)

def check_ioc(ip_address):
    result = client.stix_cyber_observable.list(
        filters=[{"key": "value", "values": [ip_address]}]
    )
    if result:
        for obs in result:
            print(f"KNOWN BAD: {ip_address}")
            print(f"  Type: {obs['entity_type']}")
            print(f"  Confidence: {obs.get('confidence', 'N/A')}")
            # Get related threat actors
            relationships = client.stix_core_relationship.list(
                fromId=obs['id']
            )
            for rel in relationships:
                print(f"  Related to: {rel['fromType']} -> {rel['toType']}")
    else:
        print(f"Not found in CTI: {ip_address}")

check_ioc("185.220.101.45")

MISP Integration for IoC Sharing

# Connect MISP to OpenCTI for bidirectional sharing
# In OpenCTI connector settings:
MISP_URL=http://your-misp-instance
MISP_KEY=your_misp_api_key
MISP_SSL_VERIFY=false

# Push enriched IoCs from OpenCTI back to MISP for blocking at perimeter
# MISP can then push to Palo Alto/Fortinet/Cisco via threat feeds

Practical Threat Intelligence Workflow

# Daily SOC workflow using free threat intel:

# Step 1: Morning intel briefing
# - Check CISA KEV for new actively exploited CVEs
curl https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json | jq '.vulnerabilities[] | select(.dateAdded > "2024-01-01") | {cveID, vendorProject, product, vulnerabilityName}'

# Step 2: Block today's malicious infrastructure (URLhaus feed)
curl https://urlhaus.abuse.ch/downloads/csv/ -o urlhaus.csv
# Import domains/IPs into DNS sinkhole or firewall

# Step 3: Check if your environment has vulnerable software (CISA KEV)
# Compare CISA KEV against your vulnerability scanner results
python3 match_kev_to_vulns.py

# Step 4: Threat actor hunting
# Search SIEM for IoCs from OpenCTI matching your sector's threat actors
# For finance sector: focus on Lazarus Group, FIN7, Carbanak TTPs
# For healthcare: focus on Hive, ALPHV/BlackCat, Royal ransomware

# Step 5: Feed enriched alerts back to MISP
# Any confirmed incident creates new IoCs that get shared with the community

Building Threat Profiles for Your Industry

Different industries face different threat actors. Here is how to use free resources to build a threat profile:

# Step 1: Find threat actors targeting your industry using ATT&CK
# Go to attack.mitre.org > Groups > Filter by "Healthcare" or your sector

# Step 2: Download their technique list
python3 -c "
import requests, json
# Get all groups
resp = requests.get('https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json')
data = resp.json()
for obj in data['objects']:
    if obj.get('type') == 'intrusion-set' and 'healthcare' in str(obj.get('x_mitre_sectors','')).lower():
        print(obj['name'], obj.get('x_mitre_attack_spec_version',''))
"

# Step 3: Map their techniques to your detection coverage
# Use ATT&CK Navigator to create a heat map:
# - Red: Techniques with no detection
# - Yellow: Partial detection
# - Green: Full detection with alerting

Threat intelligence transforms security from reactive to proactive. With free tools like OpenCTI, MISP, AlienVault OTX, and CISA’s KEV catalog, even small security teams can access enterprise-grade intelligence. The key is operationalizing that intelligence — turning data about what attackers do into specific SIEM rules, firewall blocks, and hunting queries that are relevant to your environment and threat landscape.