Building Your Own Threat Intelligence Feed with Open Source Tools

Image: cybersecurity threat intelligence dashboard dark screen

—

Threat intelligence is one of those terms the vendor community has thoroughly ruined. If you listen to the marketing, you’d think it requires a six-figure platform license and a dedicated analyst team. In practice, a security practitioner with a home lab, a few hours, and the right open source tools can build a functional threat intel pipeline that feeds real value into detection rules, firewall blocklists, and incident response workflows.

This is a practical walkthrough of what that looks like — free, self-hosted, and actually useful.

What Threat Intelligence Actually Is

Before the tools: a definition that cuts through the noise. Threat intelligence is contextualized information about adversary behavior that is actionable for a specific defender. The operative word is actionable. A list of IP addresses with no context is data. Knowing that a specific IP range is associated with a threat actor targeting SMBs in the financial sector, combined with their preferred TTPs and indicators, is intelligence.

Most “threat intelligence” that security teams receive is indicator-focused: lists of IPs, domains, hashes, and URLs that have been associated with malicious activity. This is the lowest form of the intelligence pyramid — useful for automated blocking and detection, but easily evaded by any moderately sophisticated adversary (rotate your C2 IP). Higher-order intelligence — actor profiles, campaign tracking, TTP documentation — requires more effort to produce and consume but has longer shelf life.

For a home lab or small team, the realistic goal is: ingest indicator feeds, automate enrichment, feed detection tools, and track what’s actually relevant to your environment.

The Stack

Here’s a functional open source threat intel stack that runs on a single modest Linux VM:

| Component | Tool | Purpose |
|—|—|—|
| Intel platform | MISP | Central hub for sharing, correlating, and consuming indicators |
| Feed aggregator | OpenCTI | Graph-based analysis and feed normalization |
| Indicator feeds | OSINT sources | Raw material (see below) |
| Enrichment | Cortex + analyzers | Automated enrichment of observables |
| Detection pipeline | Sigma rules | Convert intel to detection logic |
| Alerting | Grafana + Loki | Dashboard and alert notification |

You don’t need all of these on day one. The minimum viable setup is MISP plus two or three reliable feeds.

Setting Up MISP

MISP (Malware Information Sharing Platform) is the de facto open source threat intelligence platform. It handles storage, correlation, sharing, and feed ingestion. Despite its somewhat outdated UI, it’s the most capable free option available and is used by CERTs and government security teams globally.

Installation. The quickest path is the MISP project’s official install script on Ubuntu 22.04:

wget -O /tmp/INSTALL.sh https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.sh
bash /tmp/INSTALL.sh

This handles the full LAMP stack, background workers, and initial configuration. The install takes 15-20 minutes. After completion, access the web interface on localhost and change the default admin credentials immediately.

Initial configuration. The critical steps after install:

1. Set your organization name and UUID (used for feed attribution)
2. Enable background workers (required for feed sync)
3. Configure email (for sharing notifications — can be disabled for local-only use)
4. Set the base URL correctly — this matters for API access

Feed configuration. This is where the value comes from. MISP ships with a curated list of default feeds. Enable the high-signal ones:

• CIRCL OSINT Feed (general indicators, well-curated)
• Emerging Threats rules (network IDS rules)
• abuse.ch URLhaus (malicious URLs, updated hourly)
• abuse.ch MalwareBazaar (malware samples and hashes)
• Feodo Tracker (botnet C2 IPs)
• PhishTank (phishing URLs)

Navigate to Sync Actions → Feeds → enable and configure each. Set update intervals based on how fresh you need the data — hourly for abuse.ch sources, daily for most others.

Free Intelligence Feeds Worth Using

Beyond MISP’s defaults, these sources consistently provide signal:

abuse.ch ecosystem. URLhaus, MalwareBazaar, ThreatFox, Feodo Tracker — all maintained by abuse.ch and free for non-commercial use. High volume, high freshness, focused on active malware infrastructure. URLhaus alone tracks tens of thousands of active malware distribution URLs.

AlienVault OTX (Open Threat Exchange). A community platform where researchers share “pulses” — collections of indicators tied to specific campaigns or threat actors. Create a free account, subscribe to relevant pulse authors, and pull indicators via API. Quality is variable (it’s community-contributed) but volume is high.

Abuse.ch ThreatFox. Specifically focused on indicators of compromise associated with malware families — C2 IPs, domains, URLs by malware family. Useful for identifying what malware family a suspicious indicator belongs to.

CISA KEV (Known Exploited Vulnerabilities). Not traditional threat intel, but CISA’s catalog of vulnerabilities actively exploited in the wild is actionable intelligence for patch prioritization. Available as a JSON feed.

Mandiant/Google Threat Intelligence free tier. Limited compared to the paid product, but the publicly published research is excellent for understanding TTPs of named threat actors.

Emerging Threats Open Rules. Free Snort/Suricata rules maintained by ProofPoint. If you’re running Suricata or Zeek in your environment, these rules translate threat intelligence directly into detection.

Automating Enrichment with Cortex

Cortex is MISP’s companion tool for automated indicator enrichment. When an analyst or feed submission adds a new observable (IP, domain, hash), Cortex can automatically query multiple external services and return enrichment data: geolocation, passive DNS history, WHOIS, VirusTotal results, Shodan data, and more.

The analyzers that provide the most value without API costs:

• AbuseIPDB (free tier): IP reputation and abuse reports
• URLScan.io (free tier): URL scanning and screenshot capture
• CIRCLPassiveDNS: Passive DNS lookups
• Shodan (free tier): Internet-facing service enumeration
• VirusTotal (free tier, rate limited): File hash and URL lookup

For hashes specifically, free VirusTotal lookups cover most practical needs. The rate limits on the free tier are manageable for a home lab or small team environment.

Turning Intel into Detection

Intelligence that doesn’t improve detection is just overhead. The pipeline from MISP to detection rules:

IP/Domain blocklists. MISP can export indicator lists in multiple formats. Pull domain and IP indicators into your DNS resolver (Pi-hole, Unbound) or firewall blocklists on a scheduled basis. A daily cron job that pulls from the MISP API and updates a blocklist covers this:

#!/bin/bash
curl -s -H "Authorization: YOUR_MISP_KEY" \
  "https://your-misp/attributes/restSearch/json/type:ip-dst/to_ids:1" \
  | python3 /opt/scripts/misp-to-blocklist.py > /etc/blocklists/misp-ips.txt

Sigma rules. Sigma is the standard format for writing detection rules that can be compiled to SIEM query languages (Splunk, Elastic, QRadar, etc.). When threat intel identifies a specific TTP — a command-line pattern used by a threat actor, a specific registry key written by malware — translating that to a Sigma rule creates persistent detection capability. The SigmaHQ repository has thousands of community-contributed rules, many tied to specific threat actor TTPs.

Suricata rules. Network-level indicators (C2 IPs, malicious domains, payload patterns) map well to Suricata rules. Emerging Threats updates their rule set daily. For custom rules based on MISP indicators, the suricata-update tool can pull directly from MISP.

What Good Intel Hygiene Looks Like

A few operational practices that separate a useful intel program from one that generates noise:

Relevance filtering. Not all threat intel is relevant to your environment. A healthcare org doesn’t need to track APT groups targeting defense contractors. Build filters — by sector, geography, TTP focus — and route indicators accordingly. MISP’s tagging system handles this well.

Indicator aging. IPs and domains rotate. An indicator that was active C2 six months ago may now be a sinkhole or legitimate infrastructure. Set expiry policies: network indicators expire after 30-60 days unless refreshed; file hashes can have longer retention. Stale indicators in a blocklist are just false positives waiting to happen.

Attribution skepticism. Public threat actor attribution is frequently wrong, politically motivated, or recycled across reports. Use actor names and TTP frameworks as organizational tools, not ground truth. The behavior matters; the name is a label.

Feed quality over quantity. Twenty low-quality feeds generate more noise than two high-quality ones. Abuse.ch sources are consistently high signal. Generic “threat intel” feeds that aggregate without curation are often the opposite.

Practical Starting Point

If you want to stand this up this weekend: install MISP, enable the abuse.ch feeds (URLhaus, Feodo Tracker, MalwareBazaar), and set up a daily cron job that exports active C2 IPs to a blocklist on your firewall. That alone gives you continuously updated blocking of known-active botnet infrastructure, at zero cost, with about four hours of initial setup.

From there, add OTX for community pulse coverage and Cortex for enrichment. The full stack builds naturally as your needs and familiarity grow.

The vendor pitch for threat intelligence is always that you need more data, more feeds, and a bigger platform. The reality is that a disciplined small program with high-quality sources outperforms an undisciplined large one every time. Start small, measure what’s actually blocking threats, and expand from there.