Criminal IP has integrated its threat intelligence with OpenCTI, enabling security teams to automatically convert IP addresses, domains, and URLs into structured intelligence within the platform’s knowledge graph.
The integration automatically enriches ingested indicators with Criminal IP’s infrastructure intelligence, dual-perspective reputation scoring, vulnerability data, behavioral signals, and phishing analysis. The enriched data is structured as OpenCTI entities and relationships, allowing analysts to investigate connected infrastructure, map attack surfaces, and prioritize indicators.

Integration highlights
- Contextual risk scoring: Criminal IP delivers dual-perspective risk scoring reflecting both inbound targeting and outbound behavior. This model provides signals to assist analysts with the prioritization of high-risk infrastructure.
- Infrastructure intelligence: The integration creates structured OpenCTI entities and relationships, mapping vulnerabilities (CVEs), Autonomous Systems (ISPs), and geolocation to allow analysts to pivot across components within the graph.
- Service exposure & vulnerability correlation: By linking observed services to known CVEs, the integration provides insight into whether an IP is malicious, exploitable, or actively leveraged in attacks.
- Threat labeling & behavioral signals: Generated labels incorporate multiple data points including anonymization technologies (VPN, proxy, TOR), hosting characteristics, and malicious classifications.
- Domain & phishing intelligence: Criminal IP performs URL analysis for domains to detect phishing activity, credential harvesting, suspicious files, and impersonation techniques, providing tied confidence scores.
- Infrastructure mapping: Indicators are linked to network ownership (Autonomous Systems), physical locations, and resolved IP infrastructure to identify hosting patterns and regional clustering.
Key use cases
- SOC triage and alert validation: Validates suspicious IPs and domains using risk scoring, infrastructure context, and phishing intelligence to prioritize high-risk indicators.
- Threat hunting and infrastructure pivoting: Utilizes enriched relationships such as CVEs, Autonomous Systems, and geolocation to trace connected infrastructure and attacker operations.
- Phishing and campaign analysis: Identifies malicious domains, credential harvesting pages, and supporting infrastructure to track broader campaign patterns.
from Help Net Security https://ift.tt/YqhSxFt
0 comments:
Post a Comment