12 Sep 2023

How to Conduct Operational Threat Intelligence Research with OSINT

Mario Rojas

Conducting operational threat intelligence research involves systematically gathering, analyzing, and disseminating information about current or emerging threats that could impact an organization’s operations.

In this article, we will delve deeper into the importance of this type of research and its methodologies. By the end, you’ll have a clearer understanding of how to transform data into actionable insights that can help you protect your organization from ever-evolving cyber threats.


What Is Operational Threat Intelligence? 🔗︎

Operational threat intelligence (OTI) is a focused subset of cyber threat intelligence (CTI) which drills down into specific cyber-attacks or ongoing campaigns. While CTI offers a panoramic view of the broader digital threat landscape, OTI provides a granular view of the details of distinct attacks.

For security professionals, the granularity of OTI is invaluable as it provides a comprehensive understanding of a cyber-attack’s nature, the underlying intent (financial, data theft, hacktivism), and the expected duration or progression of the campaign.

With this knowledge, analysts can effectively respond to the immediate threat, and strategize for potential future developments to safeguard their organizations.

How to Conduct Operational Threat Intelligence Research? 🔗︎

1. Define the Objectives –Start with a clear goal:

  • What are you trying to achieve?
  • Are you attempting to gain an understanding of industry-specific threats, or investigate a specific incident?

2. Data Collection –Dive deep into both open and closed sources:

It is important to note that while these sources can provide valuable insights, not all sources are suitable for every organization. The quality and accuracy of intelligence can vary, so it is essential to vet and corroborate information before acting on it.

3. Data Processing –Once you have the data, standardize it. Remove redundancies, enrich it, and filter out the noise through:

  • Normalization: Threat intelligence can come from many sources, each with its own format and structure. Normalization ensures that all collected data adheres to a consistent format, making it easier to analyze and correlate.
  • Deduplication: Given the vast amount of data collected, there can be many redundant pieces of information. Deduplication ensures that each piece of threat intelligence is unique.
  • Enrichment: Raw threat data can be enhanced by adding context. An IP address can be enriched with information about its geographical location, associated domain names, or known malicious activities.
  • Filtering: Not all collected data is pertinent to an organization’s threat landscape. Filtering ensures that only relevant threat intelligence is retained, allowing analysts to focus on what’s truly important for their specific environment.

4. Analysis –This is where the magic happens! Connect the dots, identify patterns, and pinpoint who’s behind a threat through:

  • Correlation: Correlation involves linking pieces of information like IOCs or TTPs to identify larger patterns or campaigns. For example, correlating a specific malware hash with an IP address can help identify a coordinated attack from a particular source or attacker.
  • Trend Analysis: Trend analysis in threat intelligence can help organizations anticipate potential threats or understand the evolution of specific threat vectors. For example, by analyzing the increasing frequency of ransomware attacks in a sector, organizations can prioritize defenses against such threats.
  • Attribution: Attribution involves determining who is behind a cyber-attack or campaign. This can be incredibly challenging due to adversaries’ use of obfuscation techniques. However, analysts can sometimes identify specific threat groups or nation-state actors by analyzing TTPs, malware types, or even linguistic patterns.

5. Dissemination – Share findings with stakeholders within the organization. This might include IT teams, executives, or other relevant departments.

6. Feedback Loop – Incorporate stakeholder feedback to refine the intelligence process.

7. Operationalization – Convert intelligence into actionable items. Update the firewall rules, train the staff, or recommend further investigations.

8. Review and Iteration – Review and refine the threat intelligence process regularly.

9. Tooling and Automation – Leverage threat intelligence platforms (TIPs) and other tools to automate data collection, processing, and analysis.

10. Training and Collaboration – Train the threat intelligence team on adversaries’ latest TTPs. Collaborate with other organizations, industry groups, and government agencies to share intelligence and best practices.

We’ve also compiled these steps into a PDF that you can take with you.

How Can OSINT Help You Enhance Your Operational Threat Intelligence? 🔗︎

OSINT is crucial in the operational threat intelligence research process, from defining objectives based on ongoing cyber-attack campaigns and trending malware to data collection and analysis.

I already covered some OSINT sources that can improve your operational threat intelligence, so let’s talk about tools now. OSINT tools are not just add-ons to your investigations; they are an integral part of the research process.

Here are some popular and valuable tools:

  • Amass: An advanced open-source tool designed for network mapping and external asset discovery using OSINT gathering and active reconnaissance techniques.

Use Case:

Identify and map all the external assets belonging to your organization.


  • Censys: A search engine that allows researchers to ask questions about devices and networks on the Internet.

Use Case:

Identify misconfigured servers, research SSL/TLS configurations, and discover vulnerable systems.


  • Google Dorks: Advanced search techniques using Google to uncover information that might not be readily visible.

Use Case:

Discover exposed files or databases, identify potential vulnerabilities, and gather data on possible targets.


  • Maltego: Imagine a tool that not only mines data but deduplicates it, enriches it, and correlates it while visualizing the relationships and making patterns clear. Maltego is a game-changer.

Use Case:

Investigate IP addresses, domains, and email addresses; visualize relationships between different entities and enrich the information using the unique data sources integrated into Maltego.


  • Onyphe: A search engine for threat intelligence, helping researchers and security professionals gather and correlate information about IP addresses, domains, and other digital assets.

Use Case:

Use Onyphe to find malicious infrastructure like C2 systems.


  • Shodan: Often dubbed “the search engine for the Internet of Things,” Shodan allows users to discover devices connected to the Internet, ranging from servers to smart devices.

Use Case:

Identify exposed and vulnerable systems, research misconfigured servers or databases, and monitor the exposure of an organization’s assets.


  • theHarvester: A tool designed to gather emails, subdomains, hosts, and more related to a specific domain.

Use Case:

Conduct reconnaissance on a target domain, identify potential phishing vectors, and map an organization’s online footprint.


  • Recon-ng: A reconnaissance framework with modular tools to gather data and integrate with popular databases.

Use Case:

Automate data-gathering tasks, find relationships between collected data, and consolidate data for analysis.


  • SpiderFoot: An automation tool for conducting OSINT and threat intelligence research on IPs, domains, email addresses, and more.

Use Case:

Discover network infrastructure details, identify data leaks, and find potential vulnerabilities.


  • The Wayback Machine: An archive of the Internet that allows users to see historical versions of websites.

Use Case:

Investigate changes on a website, recover lost information, and research defunct services or products.


If your team is looking for specific threat intelligence providers, you can explore our repository of 36 providers tailored for SOC teams and suitable for other teams that incorporate OSINT into their daily operations.

Download the resource

DE +49
Albania +355
Algeria +213
Andorra +376
Angola +244
Anguilla +1264
Antigua And Barbuda +1268
Argentina +54
Armenia +374
Aruba +297
Australia +61
Austria +43
Azerbaijan +994
Bahamas +1242
Bahrain +973
Bangladesh +880
Barbados +1246
Belarus +375
Belgium +32
Belize +501
Benin +229
Bermuda +1441
Bhutan +975
Bolivia +591
Bosnia and Herzegovina +387
Botswana +267
Brazil +55
Brunei Darussalam +673
Bulgaria +359
Burkina Faso +226
Burundi +257
Cambodia +855
Cameroon +237
Canada +1
Cape Verde +238
Cayman Islands +1345
Central African Republic +236
Chile +56
China +86
Cote d'Ivoire +225
Colombia +57
Comoros +269
Congo +242
Cook Islands +682
Costa Rica +506
Croatia +385
Cuba +53
Cyprus +90392
Czech Republic +42
Denmark +45
Djibouti +253
Dominica +1809
Dominican Republic +1809
Ecuador +593
Egypt +20
El Salvador +503
Equatorial Guinea +240
Eritrea +291
Estonia +372
Ethiopia +251
Falkland Islands (Malvinas) +500
Faroe Islands +298
Fiji +679
Finland +358
France +33
French Guiana +594
French Polynesia +689
Gabon +241
Gambia +220
Georgia +7880
Germany +49
Ghana +233
Gibraltar +350
Greece +30
Greenland +299
Grenada +1473
Guadeloupe +590
Guam +671
Guatemala +502
Guinea +224
Guinea-Bissau +245
Guyana +592
Haiti +509
Honduras +504
Hong Kong +852
Hungary +36
Iceland +354
India +91
Indonesia +62
Iran, Islamic Republic of +98
Iraq +964
Ireland +353
Israel +972
Italy +39
Jamaica +1876
Japan +81
Jordan +962
Kazakhstan +7
Kenya +254
Kiribati +686
Korea, Democratic People's Republic of +850
Korea, Republic of +82
Kuwait +965
Kyrgyzstan +996
Lao People's Democratic Republic +856
Latvia +371
Lebanon +961
Lesotho +266
Liberia +231
Libyan Arab Jamahiriya +218
Liechtenstein +417
Lithuania +370
Luxembourg +352
Macao +853
Macedonia, the former Yugoslav Republic of +389
Madagascar +261
Malawi +265
Malaysia +60
Maldives +960
Mali +223
Malta +356
Marshall Islands +692
Martinique +596
Mauritania +222
Mauritius +230
Mayotte +269
Mexico +52
Micronesia, Federated States of +691
Moldova, Republic of +373
Monaco +377
Mongolia +976
Montserrat +1664
Morocco +212
Mozambique +258
Myanmar +95
Namibia +264
Nauru +674
Nepal +977
Netherlands +31
New Caledonia +687
New Zealand +64
Nicaragua +505
Niger +227
Nigeria +234
Niue +683
Norfolk Island +672
Northern Mariana Islands +670
Norway +47
Oman +968
Pakistan +92
Palau +680
Panama +507
Papua New Guinea +675
Paraguay +595
Peru +51
Philippines +63
Poland +48
Portugal +351
Puerto Rico +1787
Qatar +974
Reunion +262
Romania +40
Russian Federation +7
Rwanda +250
San Marino +378
Sao Tome and Principe +239
Saudi Arabia +966
Senegal +221
Serbia +381
Seychelles +248
Sierra Leone +232
Singapore +65
Slovakia +421
Slovenia +386
Solomon Islands +677
Somalia +252
South Africa +27
Spain +34
Sri Lanka +94
Saint Helena +290
Saint Kitts and Nevis +1869
Saint Lucia +1758
Sudan +249
Suriname +597
Swaziland +268
Sweden +46
Switzerland +41
Syrian Arab Republic +963
Taiwan +886
Tajikistan +7
Thailand +66
Togo +228
Tonga +676
Trinidad and Tobago +1868
Tunisia +216
Turkey +90
Turkmenistan +993
Turks and Caicos Islands +1649
Tuvalu +688
Uganda +256
United Kingdom +44
Ukraine +380
United Arab Emirates +971
Uruguay +598
United States +1
Uzbekistan +7
Vanuatu +678
Holy See (Vatican City State) +379
Venezuela +58
Viet Nam +84
Virgin Islands, British +84
Virgin Islands, U.S. +84
Wallis and Futuna +681
Yemen +967
Zambia +260
Zimbabwe +263

By clicking on "Access", you agree to the processing of the data you entered and you allow us to contact you for the purpose selected in the form. For further information, see our Data Privacy Policy.

How to Make the Most of Your Operational Threat Intelligence? 🔗︎

Operational threat intelligence is not just about collecting data; It is about discerning actionable patterns, understanding connections, and foreseeing potential threats.

Maltego, with its unmatched data integrations and intuitive visualizations, can help you simplify these tasks as it transforms information into comprehensive maps, revealing hidden relationships and patterns that might have otherwise gone unnoticed.

If you want to see how to use it in practice, check out our series on exploring your attack surface and automating your assessment with Maltego, where we demonstrate all the necessary steps.

Don’t forget to download your copy of the 36 top threat intelligence providers below, follow us on Twitter, LinkedIn, and Mastodon, and sign up for our email newsletter so you don’t miss out on updates and news!

Happy OSINT’ing!

About the Author 🔗︎

Mario Rojas

Mario Rojas 🔗︎

Mario Rojas is a former Cyber Security and Threat Intelligence Subject Matter Expert at Maltego with more than 14 years of experience in the cybersecurity field. His expertise in open-source intelligence (OSINT) allows him to effectively map and visualize complex relationships and connections between entities, from IP addresses and domain names to social media profiles and Darkweb forums.

By clicking on "Subscribe", you agree to the processing of the data you entered and you allow us to contact you for the purpose selected in the form. For further information, see our Data Privacy Policy.