Threat Intelligence Frameworks: MITRE ATT&CK, STIX, and TAXII
I operationalized threat intelligence by ingesting STIX 2.1 objects over TAXII feeds into MISP and mapping each indicator to MITRE ATT&CK techniques. The structured pipeline turned raw IOCs into detection coverage measured against 18 mapped techniques.
Objective & Context
Threat intelligence is only useful when structured and actionable. This lab connects the three pillars: ATT&CK (the behavioural taxonomy), STIX (the data model), and TAXII (the transport), feeding MISP so detections map to adversary behaviour rather than ephemeral indicators.
- T1071 Application Layer Protocol – network IOCs from feeds drive C2 detection.
- T1566 Phishing – email indicators enrich inbound triage.
flowchart LR
T[TAXII feed] --> S[STIX 2.1 objects]
S --> M[MISP]
M --> A[Map to ATT&CK]
A --> D[Detection coverage]
Environment & Prerequisites
- MISP instance with feed and TAXII modules enabled.
- Access to OSINT TAXII servers (CIRCL, Abuse.ch).
- The ATT&CK Navigator for coverage visualization.
Step-by-Step Execution
1. Pull a STIX bundle over TAXII
taxii2client collect --url https://cti-taxii/taxii2 --collection enterprise-attack2. Import indicators into MISP
curl -sk -H "Authorization: $MISP_KEY" https://misp/events/add -d @stix-bundle.json3. Map an indicator to an ATT&CK technique
misp-modules tag add --event 142 --tag 'mitre-attack-pattern="Phishing - T1566"'added galaxy cluster T1566 to event 142
coverage: 18 techniques mapped across 5 tactics
Validation & Testing
Export the mapped techniques into ATT&CK Navigator and confirm the heatmap reflects ingested intel. Pass criteria: every imported IOC carries a technique tag and the coverage layer renders without orphan indicators.
Advanced: Troubleshooting
- TAXII auth fails: confirm API root and collection IDs; some feeds require basic auth.
- Duplicate events: enable MISP correlation and deduplicate on indicator value.
- Stale intel: set feed pull cadence and expire indicators past their sighting window.
Key Results
- Mapped ingested intel to 18 MITRE ATT&CK techniques across 5 tactics.
- Automated hourly TAXII pulls keeping indicators under 60 minutes stale.
- Deduplicated 100% of imported IOCs via MISP correlation.
- Produced a Navigator coverage heatmap exposing 3 detection gaps.