Skill Guide

Threat intelligence integration from feeds like PhishTank, OpenPhish, and VirusTotal

The systematic process of ingesting, normalizing, and operationalizing indicators of compromise (IOCs) from open-source threat intelligence feeds to proactively defend an organization's infrastructure.

This skill transforms passive threat data into active defense, enabling security teams to preemptively block phishing campaigns, malware delivery, and command-and-control (C2) communications. It directly reduces mean time to detect (MTTD) and respond (MTTR) while lowering incident response costs through automated prevention.

1 Careers

1 Categories

9.0 Avg Demand

15% Avg AI Risk

How to Learn Threat intelligence integration from feeds like PhishTank, OpenPhish, and VirusTotal

Focus on understanding threat intelligence taxonomy: IOCs (IPs, domains, URLs, hashes), TTPs (Tactics, Techniques, and Procedures), and confidence scoring. Learn to parse raw feed data (CSV, JSON, STIX/TAXII). Master basic API consumption via Python or PowerShell scripts to pull data from a single feed.

Implement correlation logic between feed data and internal logs (SIEM, firewall, proxy). Practice deduplication, IOC aging (set expiration dates), and false positive analysis. Design enrichment pipelines that cross-reference multiple feeds (e.g., VirusTotal API results for a PhishTank domain).

Architect a threat intelligence platform (TIP) with automated ingestion, normalization, and dissemination to enforcement points (firewalls, EDR, email gateways). Develop custom scoring models based on feed reliability and organizational relevance. Integrate with incident response workflows for automated containment and playbook triggering.

Practice Projects

Beginner

Project

Automated IOC Collector & Dashboard

Scenario

Build a system that pulls phishing URLs from PhishTank and malicious file hashes from VirusTotal Community, stores them in a database, and displays statistics.

How to Execute

1. Write Python scripts using `requests` to query PhishTank's JSON feed and VirusTotal API. 2. Parse the data and store IOCs in a local SQLite or PostgreSQL database with columns for type, value, first_seen, and source. 3. Use a simple web framework (Flask/Django) or Grafana to create a dashboard showing IOC count trends. 4. Add a function to export IOCs to a CSV file formatted for firewall block lists.

Intermediate

Project

SIEM Integration & Alert Correlation

Scenario

Enhance your SIEM (e.g., Splunk, Elastic) with threat intelligence feeds to generate high-fidelity alerts when internal network traffic matches known malicious indicators.

How to Execute

1. Configure a scheduled job to pull IOCs from PhishTank and OpenPhish into a lookup table or threat list within your SIEM. 2. Create correlation rules that match internal DNS query logs, proxy logs, and firewall logs against the threat list. 3. Develop an enrichment search that automatically queries the VirusTotal API for any matched IOC to add context (detection ratio, community score) to the alert. 4. Implement IOC aging by automatically removing entries older than 30 days from the active block list.

Advanced

Project

Threat Intelligence Platform (TIP) with Automated Enforcement

Scenario

Design and deploy a centralized platform that orchestrates intelligence from multiple feeds, scores and prioritizes threats, and automatically pushes block policies to network security controls.

How to Execute

1. Deploy a TIP like MISP or OpenCTI. Configure connectors for PhishTank, OpenPhish, and VirusTotal's premium API. 2. Develop custom Python modules for normalizing disparate feed formats into STIX 2.1 objects. 3. Implement a scoring engine that weights IOCs based on source reliability, age, and corroboration from multiple feeds. 4. Integrate with enforcement APIs (e.g., Palo Alto Panorama, CrowdStrike Falcon) to automatically push high-confidence IOCs to block lists. 5. Build a feedback loop where IOCs involved in confirmed incidents are used to update the scoring model.

Tools & Frameworks

Software & Platforms

MISP (Malware Information Sharing Platform)OpenCTI (Open Cyber Threat Intelligence)TheHive with CortexSplunk/Enterprise SecurityElastic SIEM

Use MISP or OpenCTI for centralized feed aggregation, normalization, and sharing. TheHive+Cortex automates response. Use SIEMs for correlation with internal telemetry and alerting.

Programming & APIs

Python (requests, pandas, pymisp)VirusTotal API v3PhishTank APIOpenPhish APITAXII/STIX Libraries

Python is the standard for building ingestion scripts. Use official APIs for data retrieval. TAXII/STIX libraries enable interoperability with modern threat intelligence platforms.

Operational Methodologies

Diamond Model of Intrusion AnalysisMITRE ATT&CK FrameworkTraffic Light Protocol (TLP)IOC Lifecycle Management

Use the Diamond Model to contextualize IOCs. Map findings to ATT&CK for strategic defense improvements. Adhere to TLP for handling shared intelligence. Manage IOC expiration to prevent outdated block lists.

Interview Questions

Answer Strategy

Focus on the principles of precision over volume: IOC triage, aging, and contextual enrichment. The candidate must demonstrate operational thinking. Sample answer: 'I would first implement an IOC aging policy, automatically archiving entries older than 14 days. Next, I'd create a scoring model: PhishTank URLs with high community verification scores get a higher priority. I'd enrich every alert with a VirusTotal API query-if the detection ratio is below 5/60 or it's a known benign domain like a CDN, the alert severity gets downgraded. Finally, I'd correlate the IOC with internal logs; if no user actually clicked or connected, the alert is deprioritized.'

Answer Strategy

Tests business acumen and ability to translate technical value into business outcomes. The answer should frame intelligence in terms of risk reduction and efficiency. Sample answer: 'I justified a premium VirusTotal API license by tracking two metrics: MTTD reduction and analyst time saved. We showed that automated enrichment from the API cut the average investigation time for a suspicious file from 25 minutes to 3 minutes. Over a quarter, this saved 120 analyst-hours, equivalent to a full-time employee. We also demonstrated that the API identified 15 zero-day phishing sites 48 hours before they appeared in free feeds, preventing potential financial fraud.'