Intelligence Sources, Feeds and Sharing Platforms

Open-source threat intelligence (OSINT) feeds aggregate indicators collected from publicly accessible sources: honeypots, spam traps, passive DNS sensors, malware sandboxes, and voluntary reporting by researchers and organisations. They are free or low-cost and provide broad coverage of commodity threats. The most widely used include AlienVault OTX (now AT&T Cybersecurity Open Threat Exchange), Abuse.ch feeds (URLhaus, MalwareBazaar, ThreatFox, Feodo Tracker), Emerging Threats rulesets, the Spamhaus blocklists, and CISA's Automated Indicator Sharing (AIS) programme in the United States.

OSINT feeds excel at volume. MalwareBazaar alone processes tens of thousands of malware samples per month, each tagged with file hashes, YARA rules, and associated domains. This volume makes them valuable for enriching security event logs: when an analyst sees an outbound connection to an unknown IP, a quick lookup against a blocklist confirms whether that IP has been reported in criminal activity. The limitation is signal-to-noise ratio. Because contribution is open, feeds contain stale indicators, false positives from misconfigured systems, and intentional poisoning by adversaries who want to waste analyst time or trigger false alarms.

Aggregators such as MISP (Malware Information Sharing Platform) and OpenCTI help organisations ingest multiple OSINT feeds, deduplicate indicators, apply confidence scores, and export to detection tools. MISP is widely used by national CERTs and ISACs as a shared instance; OpenCTI uses the STIX 2.1 data model natively and integrates with commercial connectors.

Commercial threat intelligence platforms differ from OSINT feeds in three ways: they maintain proprietary sensor networks that provide visibility into traffic that never appears in public sources; they employ analysts who contextualise raw data into finished intelligence reports; and they offer structured data exports and API integrations designed for enterprise security tooling. Major vendors include Recorded Future, Mandiant Threat Intelligence (now part of Google), CrowdStrike Falcon Intelligence, Microsoft Defender Threat Intelligence, and Flashpoint.

For investigators, commercial platforms are most valuable for attribution and campaign tracking. When a malware sample is recovered from an incident, a commercial platform can map it to a known threat group, link it to prior campaigns, identify the infrastructure that group has historically used, and suggest which other sectors that group has targeted. This context is rarely available in free feeds, which typically provide only the indicator with minimal surrounding information.

The limitation is cost and dependency. Smaller organisations, including many law enforcement agencies in lower-income jurisdictions, cannot afford commercial subscriptions. Investigators in those settings rely on OSINT feeds, ISAC membership, and bilateral information-sharing agreements with agencies that do have commercial access.

ISACs were created in the United States following Presidential Decision Directive 63 in 1998, which called for sector-specific organisations to share threat information for critical infrastructure protection. The model spread internationally. ISACs now exist for financial services (FS-ISAC, global membership), healthcare (H-ISAC), energy (E-ISAC), aviation (A-ISAC), automotive (Auto-ISAC), water (WaterISAC), maritime (Maritime ISAC), and state and local government (MS-ISAC, US-focused). Equivalent structures exist in Europe under the NIS2 Directive framework, and in India under CERT-In sector engagement programmes.

ISAC intelligence is sector-specific and comes with understood context. When FS-ISAC distributes an alert about a new banking trojan, members know that the adversary targets financial institutions, that the indicators have been validated by peer organisations facing similar threats, and that countermeasures shared alongside the alert are appropriate for their environment. This is qualitatively different from a generic IOC feed where the same indicator might relate to threats irrelevant to the recipient.

ISACs operate under formal sharing agreements that define what members can do with the intelligence they receive. The Traffic Light Protocol (TLP) is the dominant marking system. TLP:RED intelligence shared in an ISAC briefing stays within the named participants; TLP:AMBER can go to an organisation's security team; TLP:GREEN can be shared with the wider community. Violating TLP markings is a breach of the sharing agreement and can result in loss of membership.

Criminal actors use Tor-based forums, encrypted messaging channels, and private marketplaces to sell stolen credentials, advertise initial access to compromised networks, offer malware-as-a-service, and coordinate attacks. Monitoring these sources provides intelligence not available in any legitimate feed: credentials being sold before the affected organisation knows it has been breached, ransomware group communications before an attack is launched, or technical details of a zero-day being traded privately.

Dark-web monitoring is conducted either by commercial vendors (Recorded Future, Flashpoint, Intel 471, SpyCloud) who maintain persistent access to criminal communities, or by law enforcement agencies with court-authorised undercover operations. Commercial vendors typically provide a monitoring service where an organisation subscribes to alerts when its domains, IP ranges, employee credentials, or brand terms appear in criminal channels. This allows the organisation to respond to a credential leak before the credentials are exploited.

Legal constraints vary by jurisdiction. Passive monitoring of publicly accessible Tor sites is generally lawful. Creating accounts on criminal forums, downloading malware samples, or participating in transactions requires specific legal authority in most jurisdictions. In India, investigative operations on dark-web platforms are conducted under the Information Technology Act 2000 and the Bharatiya Nagarik Suraksha Sanhita 2023. In the UK, undercover operations require authorisation under the Regulation of Investigatory Powers Act 2000 and the Covert Human Intelligence Sources Act 2021. In the US, court authorisation under Title III of the Omnibus Crime Control and Safe Streets Act governs interception; different standards apply to stored communications under the Electronic Communications Privacy Act.

STIX 2.1 organises intelligence into typed JSON objects. The core domain objects (CDOs) are: Indicator (a pattern that detects a threat, typically a STIX Pattern or YARA rule), Observable (a raw artifact such as an IP address or file hash without an associated pattern), Threat Actor (a person or group), Campaign (a named adversary operation), Malware (a malware family or sample), Attack Pattern (a TTP, often linked to a MITRE ATT&CK technique ID), Tool (legitimate software used by attackers), Vulnerability (a CVE entry or similar), and Course of Action (a remediation step). Relationship objects link CDOs to each other: for example, a Threat Actor uses a Campaign, a Campaign delivers Malware, and Malware indicates an Indicator.

Every STIX object has a universally unique identifier, a timestamp, a creator identity reference, and an optional confidence score from 0 to 100. Confidence is critical for investigators: an indicator with confidence 85 from a commercial vendor's analyst report should be weighted differently from the same indicator with confidence 30 from an automated honeypot submission. STIX bundles group related objects for transport; a single bundle might contain a Threat Actor, two Campaigns, five Malware objects, and forty Indicators, all with Relationship objects that make the connections explicit.

TAXII 2.1 defines two primary API patterns. A Collection is a named store of STIX objects; clients GET objects from a collection or POST new objects to it, filtered by type, time range, or identifier. A Channel (defined in TAXII 2.1 as a publish-subscribe mechanism) allows clients to subscribe and receive objects pushed as they arrive. Most operational deployments use the collection poll model: a threat intelligence platform polls its configured TAXII servers every few minutes, retrieves new objects, and feeds them into detection pipelines. The STIX/TAXII combination is supported natively by MISP, OpenCTI, Microsoft Sentinel, Splunk TAXII App, and most enterprise SIEM platforms.

Law enforcement and government cyber agencies operate sharing networks that are not accessible to private organisations. These include Interpol's cybercrime intelligence channels, Europol's EC3 (European Cybercrime Centre) secure information exchange, the Five Eyes SIGINT partners' joint sharing arrangements, and bilateral law enforcement mutual legal assistance treaty (MLAT) channels. National CERTs exchange technical indicators through FIRST (Forum of Incident Response and Security Teams) and through bilateral MoUs. India's CERT-In participates in APCERT (Asia Pacific CERT) and has bilateral agreements with several national CERTs.

Access to law-enforcement intelligence channels typically requires formal affiliation: a police officer requesting Europol access does so through their national focal point, not directly. The intelligence shared in these channels carries legal handling restrictions that go beyond TLP markings: law-enforcement-sensitive (LES) material in the US, OFFICIAL-SENSITIVE in the UK, and equivalent classifications elsewhere. Using such intelligence in a criminal prosecution requires disclosure rules to be followed; an investigator cannot simply drop a Europol indicator report into a court exhibit without addressing how it was obtained and what it may reveal about sources and methods.

The Bharatiya Sakshya Adhiniyam 2023 (which replaced the Indian Evidence Act 1872) governs the admissibility of electronic records in Indian courts, including intelligence-derived evidence. Section 63 requires that electronic records be accompanied by a certificate from a responsible official attesting to the device, the process used, and the integrity of the output. Investigators using foreign intelligence in Indian proceedings must also satisfy the court that the material was lawfully obtained in the source jurisdiction, a requirement that maps broadly to the approach under the EU's Electronic Evidence Regulation and the US Stored Communications Act for cross-border requests.