I operationalized threat intelligence by ingesting STIX 2.1 objects over TAXII feeds into MISP and mapping each indicator to MITRE ATT&CK techniques. The structured pipeline turned raw IOCs into detection coverage measured against 18 mapped techniques.

Objective & Context

Threat intelligence is only useful when structured and actionable. This lab connects the three pillars: ATT&CK (the behavioural taxonomy), STIX (the data model), and TAXII (the transport), feeding MISP so detections map to adversary behaviour rather than ephemeral indicators.

  • T1071 Application Layer Protocol – network IOCs from feeds drive C2 detection.
  • T1566 Phishing – email indicators enrich inbound triage.

Environment & Prerequisites

  • MISP instance with feed and TAXII modules enabled.
  • Access to OSINT TAXII servers (CIRCL, Abuse.ch).
  • The ATT&CK Navigator for coverage visualization.

Step-by-Step Execution

1. Pull a STIX bundle over TAXII

taxii2client collect --url https://cti-taxii/taxii2 --collection enterprise-attack

2. Import indicators into MISP

curl -sk -H "Authorization: $MISP_KEY" https://misp/events/add -d @stix-bundle.json

3. Map an indicator to an ATT&CK technique

misp-modules tag add --event 142 --tag 'mitre-attack-pattern="Phishing - T1566"'
added galaxy cluster T1566 to event 142
coverage: 18 techniques mapped across 5 tactics

Validation & Testing

Export the mapped techniques into ATT&CK Navigator and confirm the heatmap reflects ingested intel. Pass criteria: every imported IOC carries a technique tag and the coverage layer renders without orphan indicators.

Advanced: Troubleshooting
  • TAXII auth fails: confirm API root and collection IDs; some feeds require basic auth.
  • Duplicate events: enable MISP correlation and deduplicate on indicator value.
  • Stale intel: set feed pull cadence and expire indicators past their sighting window.

Key Results

  • Mapped ingested intel to 18 MITRE ATT&CK techniques across 5 tactics.
  • Automated hourly TAXII pulls keeping indicators under 60 minutes stale.
  • Deduplicated 100% of imported IOCs via MISP correlation.
  • Produced a Navigator coverage heatmap exposing 3 detection gaps.