AI-based threat intelligence platform Criminal IP has begun integration with OpenCTI.
This integration allows OpenCTI users to directly leverage Criminal IP's threat intelligence within their existing CTI workflows, without needing to search for information individually.
A key feature of this integration is its ability to analyze threats not just by managing individual IOCs, but by including contextual information such as related infrastructure and risk data. This supports more practical CTI operations by improving the efficiency of security teams' investigations and decision-making.
Threat intelligence only gains value when it has "context"
In Cyber Threat Intelligence (CTI), individual indicators often do not provide sufficient grounds for decision-making. The integration of Criminal IP and OpenCTI enables security teams to transform individual indicators like IP addresses, domains, and URLs into structured, actionable intelligence within OpenCTI's knowledge graph.
This integration automatically enriches indicators with Criminal IP's reputation scores, infrastructure information, vulnerability data, behavioral signals, and phishing analysis results. The enriched information is structured as entities and relationships within OpenCTI, allowing for more efficient investigation of related infrastructure and prioritization of high-risk indicators.
Key Integration Features
A screen within OpenCTI that displays Criminal IP's enrichment results for IP addresses, allowing users to view risk scores and behavioral metrics.
Context-based risk scoring beyond simple reputation.
Criminal IP provides risk scores from two perspectives: inbound and outbound. This allows for a multifaceted understanding of how a specific IP address is being targeted and what behavior it exhibits externally. Compared to traditional single-score reputation assessments, it provides more detailed grounds for decision-making, making it easier for analysts to accurately identify high-risk infrastructure and prioritize indicators for response.
A screen where Criminal IP's IP intelligence is structured as OpenCTI entities, enabling cross-analysis of indicators, network owners, and geographical information.
Advanced infrastructure analysis visualized on a graph.
Criminal IP's enrichment goes beyond simply tagging indicators. It structures relationships with OpenCTI entities, including vulnerabilities (CVEs), Autonomous Systems (ISPs), and geographical information. This allows analysts to perform cross-infrastructure analysis on the graph to understand common components and related infrastructure.
Correlation analysis of public services and vulnerabilities.
By correlating observed service information with known CVEs, this integration provides immediate insights into potential attack surfaces. Analysts can quickly assess not only whether a target IP is malicious, but also whether it is actively exploitable and potentially being used in attacks.
High-precision threat labeling and behavioral signals.
Automatically generated labels reflect multiple data points such as anonymization technologies (VPN, proxy, Tor), hosting characteristics, and malicious classifications. This multi-layered labeling provides richer threat context beyond a simple binary classification of "malicious/normal."
Advanced domain analysis and phishing detection.
For domains, Criminal IP analyzes the entire URL to detect phishing activities, credential harvesting, suspicious files, and impersonation techniques. The trust score is directly linked to the likelihood of phishing, allowing analysts to quantitatively assess risk.
Infrastructure mapping and analysis support.
This integration associates indicators with network owners (Autonomous Systems), physical locations, and resolved IP infrastructure. This enables security teams to understand hosting trends, regional concentrations, and infrastructure patterns across multiple indicators.
Integration Mechanism
A Criminal IP connector ingests indicators such as IP addresses, domains, and URLs into OpenCTI.
Criminal IP automatically assigns reputation scores, infrastructure information, vulnerability information, behavioral signals, and phishing analysis results to each indicator.
The enriched data is structured as entities and relationships within OpenCTI, becoming available for investigation, correlation analysis, and threat analysis within the knowledge graph.
Key Use Cases
SOC Triage and Alert Verification: Quickly verify suspicious IP addresses and domains using dual risk scores, infrastructure context, and phishing intelligence. Analysts can prioritize high-risk indicators, improving the accuracy and speed of alert response.
Threat Hunting and Infrastructure Pivot Analysis: Utilize enriched relational information such as CVEs, Autonomous Systems, and geographical data to perform cross-infrastructure analysis. This makes it easier to identify related assets used in attacker activities and common infrastructure configurations.
Phishing and Campaign Analysis: Support tracking of phishing activities and understanding broader campaign patterns by identifying and analyzing malicious domains, credential harvesting pages, and the infrastructure supporting them.
About OpenCTI Platform
OpenCTI is an open-source cyber threat intelligence platform designed to structure, store, and analyze threat data using a graph-based model. It allows organizations to connect indicators, vulnerabilities, threat actors, campaigns, and more within an integrated knowledge base for investigation, collaboration, and intelligence sharing.
About Criminal IP
Criminal IP analyzes IP addresses, domains, and URLs on the global internet to provide cyber threat intelligence directly linked to decision-making. Leveraging AI and OSINT, it supports real-time detection of malicious activities, including reputation scoring, infrastructure visibility, phishing, public services, and anonymization technologies like VPNs and proxies. Its API-first architecture allows for easy integration into existing security platforms, enhancing visibility, automation, and response capabilities.
More Information https://www.criminalip.io/ja/knowledge-hub/notice/9288
https://hub.filigran.io/en/cybersecurity-solutions/opencti-integrations/criminal-ip
Criminal IP
https://search.criminalip.io/ja
Contact Us https://www.criminalip.io/ja/contact-us
FACT BOX
- Source: PR TIMES
- Category: 技術連携
- Organizations: Criminal IP / OpenCTI / AI Spera Inc.