The Importance of Threat Intelligence

Collecting threat intelligence data and determining how to process this data is getting more and more attention from security professionals who want to detect and quickly respond to security threats. This holds true not only for advanced persistent threats (APTs), but also for mainstream attacks.

Threat sharing provides you with information on an existing or emerging threat. This information comes with context, indicators, implications and actionable data. Defining whether or not this threat poses a danger to your environment requires you to know your organization and understand your assets, exposure, employees and business area.

Threat Sharing

So where do you get this threat data from? Your view on what is happening, even if you manage multiple environments or networks, is always limited. How do you improve this? The answer is through sharing. Threat sharing increases everyone’s knowledge of adversaries, the assets they are after and how they may try to gain access to your environment.

Fluent and efficient information sharing can only happen if we agree on a standard. STIX, TAXII and CybOX are community-driven efforts and are also a set of free specifications that help with the automated exchange of cyberthreat information. However, these are just the specifications and not the actual tools that provide a platform for sharing and enriching threat data.

Tools for Sharing Threat Data

I took a look at two tools for the sharing of threat intelligence data: MISP and IBM’s X-Force Exchange. Although both tools aim to achieve the same result — sharing data — they use different approaches to achieve that goal.

MISP, the Malware Information Sharing Platform, needs to be installed on a server in your infrastructure. You need a Web server, database and PHP support with a couple of modules. All of the data is stored on your premises and is under your control. The hardening of the server, securing the access and communication and foreseeing backups and redundancy are your responsibility. Obviously, you fully control what happens with the data.

On the other hand, IBM’s X-Force Exchange is a cloud-based platform. You need an IBM ID to get full access to the available threat data (anonymous access is also possible but with restrictive usage) and only a browser to get started; there’s no need for installing extra software. All the data is stored in the cloud, so you do not have to worry about backups or redundancy.

Data Influences Your Choice

The nature and type of data that you want to share will highly influence the type of solution you want to use — or that you are even allowed to use. For example, if you are dealing with sensitive government data, then using a cloud-based solution instead of an on-premises solution might be less preferable and maybe even forbidden by local legislation.

The distribution of threat information can be limited by the originator by using a traffic light protocol (TLP) code. This can sound counterproductive toward the claim of sharing as much information as possible, but for certain ongoing incidents, restricting distribution makes sense. You don’t want to risk that attackers can read how your investigation is progressing.

Starting with your own empty on-premises database (such as with MISP) will limit the amount of immediate accessible and actionable data. On the other hand, by participating in X-Force Exchange, users get immediate access to 700 TB of threat intelligence information on IPs, URLs, Web applications, malware and vulnerabilities.

Sharing Models


A single instance of MISP will start with an empty database. Different MISP instances can be connected to each other. This allows you to get threat information from other instances and then store that data locally, which ensures that the queries for information remain confidential and limited to your server.

MISP foresees four community sharing models:

  • Share with your organization only;
  • Share with this community only;
  • Share with connected communities; and
  • Share with all communities.

X-Force Exchange

X-Force Exchange uses the concept of collections, which are sets of information related to an investigation. Users can aggregate different observables and/or indicators in a collection and then share that with as many users as they wish. These users can either be viewers only or a combination of viewers and contributors. Collections can also be private or public.

This doesn’t completely correspond with sharing under the different TLP restrictions or with the community sharing model of MISP, but it does allow fine-grained filtering of who can access your data.


Both solutions have support for STIX. X-Force Exchange supports STIX and TAXII both via an application programming interface (API) and the Web user interface. It has the capability to import and export STIX documents into and out of a collection. MISP supports exporting data in TAXII format.

API Access for Automation

Most users will interact with these two platforms via the Web interface, but this isn’t the optimal way to integrate with your existing infrastructure.

Both solutions provide an API to overcome this problem. The API is necessary to automatically update your security devices (IDS, SIEM, etc.) with the latest available information.

X-Force Exchange

The X-Force Exchange API provides a secure, RESTful, JSON-based API that supports both public and authenticated queries. You can write your own module to access the API or use one of the projects that already exist on Github, such as goxforce, or xForce project.


MISP also has a RESTful, JSON-based API that can be used for automation and feeding your devices. There is a Python library, PyMISP, developed by CIRCL that allows easy access to the API.


Threat intelligence sharing is not something revolutionary, but it’s definitely something you should consider if you want to stay on top of what threats can endanger the security of your IT environment.

MISP is very strong when it comes to building a central indicators of compromise database containing both technical and nontechnical information. Meanwhile, the Web version of X-Force Exchange provides a much slicker interface for viewing trends and ongoing threat activity, giving you an immediate view on what’s happening.

The different tools available for sharing threat intelligence do not exclude each other. It’s perfectly normal to acquire both on-premises and cloud-based solutions and then choose, depending on the type of threat information you are dealing with, where to store the information.

More from Threat Intelligence

An IBM Hacker Breaks Down High-Profile Attacks

On September 19, 2022, an 18-year-old cyberattacker known as "teapotuberhacker" (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website Gamers got an unsanctioned sneak peek of game footage, characters, plot points and other critical details. It was a game developer's worst nightmare. In addition, the malicious actor claimed responsibility for a…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…

Old Habits Die Hard: New Report Finds Businesses Still Introducing Security Risk into Cloud Environments

While cloud computing and its many forms (private, public, hybrid cloud or multi-cloud environments) have become ubiquitous with innovation and growth over the past decade, cybercriminals have closely watched the migration and introduced innovations of their own to exploit the platforms. Most of these exploits are based on poor configurations and human error. New IBM Security X-Force data reveals that many cloud-adopting businesses are falling behind on basic security best practices, introducing more risk to their organizations. Shedding light on…