April 23, 2015 By Peter Allor 3 min read


Since threat intelligence is a learning exercise, we understand that the perimeter is no longer a viable defensive strategy. Rather, it has become a strategy based on situational awareness of our operating environment. An often cited fact is that approximately more than 80 percent of all breaches originate from an external source, so the question now is how to react quicker to such attacks. As we collectively employ better defensive mousetraps to catch or blunt attackers — hopefully prior to losing our crown jewels — the opposition is rapidly sharing new methods and exploits to use against us.

If the Security Game Is Fast, Why Are We Losing the Footrace in Threat Intelligence?

There has been an explosion of threat intelligence and data at security teams’ fingertips. From the new data on malware and attack methods that are overwhelming security professionals and teams in volume and velocity to the multi-silo security products producing volumes of data, more personnel are required to operate defense measures. The challenge now is how to gather and consume this exploding defensive data into a coordinated response and protection plan across and between organizations. We are slowly bringing our resources to coordinate against a determined foe. Hence, the game is afoot in our new brand of information warfare.

So what do we do now to keep pace and take control of our security intelligence focus on situational awareness? Ideally, we are feeding threat intelligence from multiple sources into our security products. More importantly, we can automate our ingestion of this data into strategies from similar streams of digestible protections and warnings.

Currently, this is where many of our defenses falter. The outside stream of defensive information is not structured into a useful set of protocols and formats for our protections to readily consume and act upon, relegating many organizations to undertake this manual, labor-intensive process. When you are under fire, the return on this process is painfully slow. We tend to have trouble with quickly identifying an attack methodology and employing protections before our data is exfiltrated. We lose the next round when the attackers switch methods to keep our defense off-balance. Further, most organizations simply do not have the resources to deploy to manually keep up with this rate of chance — not to mention, it is not their core competency. We need to make this process fast and simple. Enter the world of machine-readable data formats and exchanges.

A Machine-Readable Exchange by Many Names

Should we go with IODEF, MILE, STIX or TAXII? Is this just more alphabet soup? Not really, but the key here is figuring out what is informative for defensive information-sharing and operations and whether it is slated universal adoption. We clearly have a need for this, and to that end, there are signs of the marketplace adopting these formats and protocols and leading contenders moving into the world of standards adoption. That is a good sign for all of us.

There is certainly some heavy lifting to do yet in making the machine-readable formats part of our threat intelligence fully ready for use across all industries and to facilitate a more direct exchange of information among organizations. We all need to pitch in to climb that mountain and gain the high ground against our collective adversaries. This goal is worth the effort as our internal and external constituents demand quicker responses so only a few will experience the pain of the attack and the rest will remain protected. After all, the attackers have been exchanging this type of data for years; it’s time we turned the tables back on them.

Be Among the first to Experience the IBM X-Force Exchange

Image Source: iStock

More from X-Force

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Audio-jacking: Using generative AI to distort live audio transactions

7 min read - The rise of generative AI, including text-to-image, text-to-speech and large language models (LLMs), has significantly changed our work and personal lives. While these advancements offer many benefits, they have also presented new challenges and risks. Specifically, there has been an increase in threat actors who attempt to exploit large language models to create phishing emails and use generative AI, like fake voices, to scam people. We recently published research showcasing how adversaries could hypnotize LLMs to serve nefarious purposes simply…

ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware

12 min read - As of December 2023, IBM X-Force has uncovered multiple lure documents that predominately feature the ongoing Israel-Hamas war to facilitate the delivery of the ITG05 exclusive Headlace backdoor. The newly discovered campaign is directed against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance and diplomatic centers. ITG05’s infrastructure ensures only targets from a single specific country can receive the malware, indicating the highly targeted nature of the campaign. X-Force tracks ITG05 as…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today