Definition
A Threat Intelligence Platform (TIP) is a software system used to aggregate, correlate, and analyze threat data from multiple sources. It acts as the "brain" of the CTI operations, storing millions of IOCs and linking them to specific campaigns.
Purpose and Core Idea
A CTI team receives data from:
- Open Source feeds (OSINT)
- Commercial vendors (Paid feeds)
- Internal SIEM alerts
- Industry peers (ISACs)
Managing this via spreadsheets is impossible. A TIP automates the ingestion, removes duplicates, and enriches the data (e.g., automatically asking VirusTotal about a new hash).
Popular Platforms
1. MISP (Malware Information Sharing Platform)
- Type: Open Source (The Industry Standard).
- Core Feature: Sharing. MISP allows organizations to push and pull "Events" to each other securely. It is the backbone of most National CERTs and ISACs.
- Data Model: Events contain Attributes (IP, Hash) which can be tagged with TLP and mapped to MITRE ATT&CK.
2. OpenCTI
- Type: Open Source (Modern, Graph-based).
- Core Feature: Knowledge Graph. OpenCTI visualizes relationships. Instead of just a list of IPs, it shows:
APT29-> uses ->Cobalt Strike-> hosted on ->1.2.3.4. - Integration: It connects seamlessly with SIEMs like Splunk or Elastic to push blocking rules.
Mini Case Study: The Financial Services ISAC (FS-ISAC)
Banks are fierce competitors, but they share threat data.
- The Workflow: When Bank A is hit by a new banking trojan, they upload the IOCs to the FS-ISAC MISP instance (anonymized).
- The Benefit: Bank B, C, and D automatically ingest these IOCs into their firewalls within minutes. Bank A's loss becomes the community's immunity.
Usage in Real CTI Workflows The TIP is the central hub. It receives OSINT, processes it using STIX/TAXII, and sends actionable intelligence to the SOC.