The Importance of Threat Intelligence

Collecting threat intelligence data and determining how to process this data is getting more and more attention from security professionals who want to detect and quickly respond to security threats. This holds true not only for advanced persistent threats (APTs), but also for mainstream attacks.

Threat sharing provides you with information on an existing or emerging threat. This information comes with context, indicators, implications and actionable data. Defining whether or not this threat poses a danger to your environment requires you to know your organization and understand your assets, exposure, employees and business area.

Threat Sharing

So where do you get this threat data from? Your view on what is happening, even if you manage multiple environments or networks, is always limited. How do you improve this? The answer is through sharing. Threat sharing increases everyone’s knowledge of adversaries, the assets they are after and how they may try to gain access to your environment.

Fluent and efficient information sharing can only happen if we agree on a standard. STIX, TAXII and CybOX are community-driven efforts and are also a set of free specifications that help with the automated exchange of cyberthreat information. However, these are just the specifications and not the actual tools that provide a platform for sharing and enriching threat data.

Tools for Sharing Threat Data

I took a look at two tools for the sharing of threat intelligence data: MISP and IBM’s X-Force Exchange. Although both tools aim to achieve the same result — sharing data — they use different approaches to achieve that goal.

MISP, the Malware Information Sharing Platform, needs to be installed on a server in your infrastructure. You need a Web server, database and PHP support with a couple of modules. All of the data is stored on your premises and is under your control. The hardening of the server, securing the access and communication and foreseeing backups and redundancy are your responsibility. Obviously, you fully control what happens with the data.

On the other hand, IBM’s X-Force Exchange is a cloud-based platform. You need an IBM ID to get full access to the available threat data (anonymous access is also possible but with restrictive usage) and only a browser to get started; there’s no need for installing extra software. All the data is stored in the cloud, so you do not have to worry about backups or redundancy.

Data Influences Your Choice

The nature and type of data that you want to share will highly influence the type of solution you want to use — or that you are even allowed to use. For example, if you are dealing with sensitive government data, then using a cloud-based solution instead of an on-premises solution might be less preferable and maybe even forbidden by local legislation.

The distribution of threat information can be limited by the originator by using a traffic light protocol (TLP) code. This can sound counterproductive toward the claim of sharing as much information as possible, but for certain ongoing incidents, restricting distribution makes sense. You don’t want to risk that attackers can read how your investigation is progressing.

Starting with your own empty on-premises database (such as with MISP) will limit the amount of immediate accessible and actionable data. On the other hand, by participating in X-Force Exchange, users get immediate access to 700 TB of threat intelligence information on IPs, URLs, Web applications, malware and vulnerabilities.

Sharing Models


A single instance of MISP will start with an empty database. Different MISP instances can be connected to each other. This allows you to get threat information from other instances and then store that data locally, which ensures that the queries for information remain confidential and limited to your server.

MISP foresees four community sharing models:

  • Share with your organization only;
  • Share with this community only;
  • Share with connected communities; and
  • Share with all communities.

X-Force Exchange

X-Force Exchange uses the concept of collections, which are sets of information related to an investigation. Users can aggregate different observables and/or indicators in a collection and then share that with as many users as they wish. These users can either be viewers only or a combination of viewers and contributors. Collections can also be private or public.

This doesn’t completely correspond with sharing under the different TLP restrictions or with the community sharing model of MISP, but it does allow fine-grained filtering of who can access your data.


Both solutions have support for STIX. X-Force Exchange supports STIX and TAXII both via an application programming interface (API) and the Web user interface. It has the capability to import and export STIX documents into and out of a collection. MISP supports exporting data in TAXII format.

API Access for Automation

Most users will interact with these two platforms via the Web interface, but this isn’t the optimal way to integrate with your existing infrastructure.

Both solutions provide an API to overcome this problem. The API is necessary to automatically update your security devices (IDS, SIEM, etc.) with the latest available information.

X-Force Exchange

The X-Force Exchange API provides a secure, RESTful, JSON-based API that supports both public and authenticated queries. You can write your own module to access the API or use one of the projects that already exist on Github, such as goxforce, or xForce project.


MISP also has a RESTful, JSON-based API that can be used for automation and feeding your devices. There is a Python library, PyMISP, developed by CIRCL that allows easy access to the API.


Threat intelligence sharing is not something revolutionary, but it’s definitely something you should consider if you want to stay on top of what threats can endanger the security of your IT environment.

MISP is very strong when it comes to building a central indicators of compromise database containing both technical and nontechnical information. Meanwhile, the Web version of X-Force Exchange provides a much slicker interface for viewing trends and ongoing threat activity, giving you an immediate view on what’s happening.

The different tools available for sharing threat intelligence do not exclude each other. It’s perfectly normal to acquire both on-premises and cloud-based solutions and then choose, depending on the type of threat information you are dealing with, where to store the information.

More from Threat Intelligence

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…