October 7, 2015 By Koen Van Impe 4 min read

The Importance of Threat Intelligence

Collecting threat intelligence data and determining how to process this data is getting more and more attention from security professionals who want to detect and quickly respond to security threats. This holds true not only for advanced persistent threats (APTs), but also for mainstream attacks.

Threat sharing provides you with information on an existing or emerging threat. This information comes with context, indicators, implications and actionable data. Defining whether or not this threat poses a danger to your environment requires you to know your organization and understand your assets, exposure, employees and business area.

Threat Sharing

So where do you get this threat data from? Your view on what is happening, even if you manage multiple environments or networks, is always limited. How do you improve this? The answer is through sharing. Threat sharing increases everyone’s knowledge of adversaries, the assets they are after and how they may try to gain access to your environment.

Fluent and efficient information sharing can only happen if we agree on a standard. STIX, TAXII and CybOX are community-driven efforts and are also a set of free specifications that help with the automated exchange of cyberthreat information. However, these are just the specifications and not the actual tools that provide a platform for sharing and enriching threat data.

Tools for Sharing Threat Data

I took a look at two tools for the sharing of threat intelligence data: MISP and IBM’s X-Force Exchange. Although both tools aim to achieve the same result — sharing data — they use different approaches to achieve that goal.

MISP, the Malware Information Sharing Platform, needs to be installed on a server in your infrastructure. You need a Web server, database and PHP support with a couple of modules. All of the data is stored on your premises and is under your control. The hardening of the server, securing the access and communication and foreseeing backups and redundancy are your responsibility. Obviously, you fully control what happens with the data.

On the other hand, IBM’s X-Force Exchange is a cloud-based platform. You need an IBM ID to get full access to the available threat data (anonymous access is also possible but with restrictive usage) and only a browser to get started; there’s no need for installing extra software. All the data is stored in the cloud, so you do not have to worry about backups or redundancy.

Data Influences Your Choice

The nature and type of data that you want to share will highly influence the type of solution you want to use — or that you are even allowed to use. For example, if you are dealing with sensitive government data, then using a cloud-based solution instead of an on-premises solution might be less preferable and maybe even forbidden by local legislation.

The distribution of threat information can be limited by the originator by using a traffic light protocol (TLP) code. This can sound counterproductive toward the claim of sharing as much information as possible, but for certain ongoing incidents, restricting distribution makes sense. You don’t want to risk that attackers can read how your investigation is progressing.

Starting with your own empty on-premises database (such as with MISP) will limit the amount of immediate accessible and actionable data. On the other hand, by participating in X-Force Exchange, users get immediate access to 700 TB of threat intelligence information on IPs, URLs, Web applications, malware and vulnerabilities.

Sharing Models


A single instance of MISP will start with an empty database. Different MISP instances can be connected to each other. This allows you to get threat information from other instances and then store that data locally, which ensures that the queries for information remain confidential and limited to your server.

MISP foresees four community sharing models:

  • Share with your organization only;
  • Share with this community only;
  • Share with connected communities; and
  • Share with all communities.

X-Force Exchange

X-Force Exchange uses the concept of collections, which are sets of information related to an investigation. Users can aggregate different observables and/or indicators in a collection and then share that with as many users as they wish. These users can either be viewers only or a combination of viewers and contributors. Collections can also be private or public.

This doesn’t completely correspond with sharing under the different TLP restrictions or with the community sharing model of MISP, but it does allow fine-grained filtering of who can access your data.


Both solutions have support for STIX. X-Force Exchange supports STIX and TAXII both via an application programming interface (API) and the Web user interface. It has the capability to import and export STIX documents into and out of a collection. MISP supports exporting data in TAXII format.

API Access for Automation

Most users will interact with these two platforms via the Web interface, but this isn’t the optimal way to integrate with your existing infrastructure.

Both solutions provide an API to overcome this problem. The API is necessary to automatically update your security devices (IDS, SIEM, etc.) with the latest available information.

X-Force Exchange

The X-Force Exchange API provides a secure, RESTful, JSON-based API that supports both public and authenticated queries. You can write your own module to access the API or use one of the projects that already exist on Github, such as goxforce, ibmxforceex.checker.py or xForce project.


MISP also has a RESTful, JSON-based API that can be used for automation and feeding your devices. There is a Python library, PyMISP, developed by CIRCL that allows easy access to the API.


Threat intelligence sharing is not something revolutionary, but it’s definitely something you should consider if you want to stay on top of what threats can endanger the security of your IT environment.

MISP is very strong when it comes to building a central indicators of compromise database containing both technical and nontechnical information. Meanwhile, the Web version of X-Force Exchange provides a much slicker interface for viewing trends and ongoing threat activity, giving you an immediate view on what’s happening.

The different tools available for sharing threat intelligence do not exclude each other. It’s perfectly normal to acquire both on-premises and cloud-based solutions and then choose, depending on the type of threat information you are dealing with, where to store the information.

More from Threat Intelligence

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Audio-jacking: Using generative AI to distort live audio transactions

7 min read - The rise of generative AI, including text-to-image, text-to-speech and large language models (LLMs), has significantly changed our work and personal lives. While these advancements offer many benefits, they have also presented new challenges and risks. Specifically, there has been an increase in threat actors who attempt to exploit large language models to create phishing emails and use generative AI, like fake voices, to scam people. We recently published research showcasing how adversaries could hypnotize LLMs to serve nefarious purposes simply…

ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware

12 min read - As of December 2023, IBM X-Force has uncovered multiple lure documents that predominately feature the ongoing Israel-Hamas war to facilitate the delivery of the ITG05 exclusive Headlace backdoor. The newly discovered campaign is directed against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance and diplomatic centers. ITG05’s infrastructure ensures only targets from a single specific country can receive the malware, indicating the highly targeted nature of the campaign. X-Force tracks ITG05 as…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today