How are you curating your CTI?

TribesmanJohn · ‎05-26-2025

Hi All,

Having had access to some a few different CTI instances (Mainly OpenCTI, OTX, MISP), I am coming to the view that without careful curation they can just become a messy database of indicators, reports and other data.

One of the other things I am noticing is that a couple of "better curated" CTIs tend to not have heaps of tactical indicators, and are more focussed on operational IOCs.

Overall, it seems that if you are not prepared to spend big money for a SaaS platform like Mandiant and RecordedFuture, you are going to be spending a lot of time building up your own platform and requiring resources to do this, and it will potentially take years to build up the CTI.

So where my question is going is - If you are going to deploy your own CTI platform with say OpenCTI or MISP, how is your data being ingested and consumed?

Are you pulling in all the feeds for all the data? or is there some carefully made decisions about the types of data you want feeds for? e.g. industry based, or only for vendor $x?
Are you self-populating the CTI with only your own data, and having in-house analysts enrich the data?
Does your $employer have any standards/guidelines around what data you should have in your CTI?

Or am I just completely overthinking the concepts of a CTI platform? 🙂

emb021 · ‎05-27-2025

FYI- I don't think I've seen people abbreviate cyber threat intelligence as CTI.

Took me a while to figure out what you were referring to. I don't think its that widely use.

Its always a good idea to explain your abbreviation at the start for lesser known ones.

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow