April 7, 2017 By David Strom 2 min read

Threat intelligence sharing services have been around almost since the earliest days of malware, but lately they seem to be gaining traction among IT professionals. In mid 2015, we noted that Facebook had set up its own exchange to share threat information. Since then, nearly 500 organizations have joined the effort, and the social networking company has added enhancements such as a tagging schema and real-time notifications.

The Threat Intelligence Explosion

Facebook is a great example of how threat sharing programs have quickly expanded. IBM continues to enhance its own X-Force Exchange with new notification features and additional information. A “curated list of awesome threat intelligence resources” hosted on GitHub includes several dozen different exchanges, along with numerous standards for sharing specific details about malware and a variety of tools that leverage these exchanges, such as CollabNet, SpiceWorks, OpenPhish, Metadefender and Spamhaus, just to name a few.

This explosion can be attributed to the ineffectiveness of traditional pattern-matching solutions. Cybercriminals leverage tools to produce unique patterns for malware infections, and new strains are becoming adept at hiding in memory, making detection more difficult. This means that defenders have to become better organized.

Community Outreach

IT teams can become more effective with these exchange-based tools, but it will require some effort. First, management must buy into sharing efforts and understand their value. Without top-level support, the whole notion of sharing might become a political issue rather than a technical one.

The main lesson passed from Ken Weston, senior security analyst at Tripwire, to eSecurity Planet was that “before threat exchanges can be useful, you need a solid infrastructure that provides visibility into your network and log activity picked up by intrusion detection systems.” Without this level of visibility, exchanges are worthless since you won’t know whether a threat has already appeared across your network.

Next, you must decide which community you want to participate in. Not all communities support all log formats, and some are designed to work with a particular vendor’s intrusion detection systems. A few communities are also more open than others. Programs from IBM, Imperva, Microsoft and McAfee, for example, all require customers to register, while open source tools are more inclusive. You should pick the community that uses the same tools you already have in place to simplify information transfer.

Finally, you need to understand the standards employed by the particular reporting formats of your chosen community. Make sure your logs can be converted into the appropriate format without a lot of effort, otherwise you will have less incentive to share threat intelligence information.

Visit the IBM X-Force Exchange

More from Risk Management

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Roundup: The top ransomware stories of 2024

2 min read - The year 2024 saw a marked increase in the competence, aggression and unpredictability of ransomware attackers. Nearly all the key numbers are up — more ransomware gangs, bigger targets and higher payouts. Malicious ransomware groups also focus on critical infrastructure and supply chains, raising the stakes for victims and increasing the motivation to cooperate.Here are the biggest ransomware stories of 2024.Ransomware payments reach record highRansomware payments surged to record highs in 2024. In the first half of the year, victims…

83% of organizations reported insider attacks in 2024

4 min read - According to Cybersecurity Insiders' recent 2024 Insider Threat Report, 83% of organizations reported at least one insider attack in the last year. Even more surprising than this statistic is that organizations that experienced 11-20 insider attacks saw an increase of five times the amount of attacks they did in 2023 — moving from just 4% to 21% in the last 12 months.With insider threats on the rise, it’s critical for businesses to recognize the real dangers that originate from inside…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today