Threat intelligence sharing services have been around almost since the earliest days of malware, but lately they seem to be gaining traction among IT professionals. In mid 2015, we noted that Facebook had set up its own exchange to share threat information. Since then, nearly 500 organizations have joined the effort, and the social networking company has added enhancements such as a tagging schema and real-time notifications.

The Threat Intelligence Explosion

Facebook is a great example of how threat sharing programs have quickly expanded. IBM continues to enhance its own X-Force Exchange with new notification features and additional information. A “curated list of awesome threat intelligence resources” hosted on GitHub includes several dozen different exchanges, along with numerous standards for sharing specific details about malware and a variety of tools that leverage these exchanges, such as CollabNet, SpiceWorks, OpenPhish, Metadefender and Spamhaus, just to name a few.

This explosion can be attributed to the ineffectiveness of traditional pattern-matching solutions. Cybercriminals leverage tools to produce unique patterns for malware infections, and new strains are becoming adept at hiding in memory, making detection more difficult. This means that defenders have to become better organized.

Community Outreach

IT teams can become more effective with these exchange-based tools, but it will require some effort. First, management must buy into sharing efforts and understand their value. Without top-level support, the whole notion of sharing might become a political issue rather than a technical one.

The main lesson passed from Ken Weston, senior security analyst at Tripwire, to eSecurity Planet was that “before threat exchanges can be useful, you need a solid infrastructure that provides visibility into your network and log activity picked up by intrusion detection systems.” Without this level of visibility, exchanges are worthless since you won’t know whether a threat has already appeared across your network.

Next, you must decide which community you want to participate in. Not all communities support all log formats, and some are designed to work with a particular vendor’s intrusion detection systems. A few communities are also more open than others. Programs from IBM, Imperva, Microsoft and McAfee, for example, all require customers to register, while open source tools are more inclusive. You should pick the community that uses the same tools you already have in place to simplify information transfer.

Finally, you need to understand the standards employed by the particular reporting formats of your chosen community. Make sure your logs can be converted into the appropriate format without a lot of effort, otherwise you will have less incentive to share threat intelligence information.

Visit the IBM X-Force Exchange

More from Risk Management

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Worms of Wisdom: How WannaCry Shapes Cybersecurity Today

WannaCry wasn't a particularly complex or innovative ransomware attack. What made it unique, however, was its rapid spread. Using the EternalBlue exploit, malware could quickly move from device to device, leveraging a flaw in the Microsoft Windows Server Message Block (SMB) protocol. As a result, when the WannaCry "ransomworm" hit networks in 2017, it expanded to wreak havoc on high-profile systems worldwide. While the discovery of a "kill switch" in the code blunted the spread of the attack and newly…

Why Operational Technology Security Cannot Be Avoided

Operational technology (OT) includes any hardware and software that directly monitors and controls industrial equipment and all its assets, processes and events to detect or initiate a change. Yet despite occupying a critical role in a large number of essential industries, OT security is also uniquely vulnerable to attack. From power grids to nuclear plants, attacks on OT systems have caused devastating work interruptions and physical damage in industries across the globe. In fact, cyberattacks with OT targets have substantially…

Resilient Companies Have a Disaster Recovery Plan

Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly. Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS)…