It’s been nearly six months since the WannaCry ransomware stole global headlines and thousands of security practitioners flocked to threat intelligence feeds to help streamline their investigations. While the security community has learned many valuable lessons from the attack, it’s impossible to say that a strike of this magnitude won’t happen again.

Five Must-Haves in a Threat Intelligence Platform

The average cost of a data breach still sits north of $3.6 million, so the return on a successful cyberattack merits the risk in the cybercrime market. Make sure your threat intelligence solution can provide the following capabilities to help you address, track and investigate the next big attack if and when it occurs.

1. Notifications for Relevant Vulnerabilities

Despite the shock, WannaCry was yet another exploit of a known vulnerability. In fact, Microsoft had issued a patch for the flaw two months earlier. An effective threat intelligence solution should allow you to stay up to date on all vulnerability releases specific to your enterprise platforms so you can prevent instead of respond.

Watch the on-demand webinar: The Daily life of a SOC Analyst

2. Repositories for Critical Security Research

Security analysts have their go-to repositories and third-party feeds to obtain the latest threat intelligence. A threat intelligence platform should be able to consolidate this information to supply both machine-generated, tactical intelligence — such as malicious IPs, URLs, vulnerabilities and malware — and human-generated, strategic intelligence — such as actors, campaigns, tactics, and technology and procedures (TTPs). When a breach of WannaCry’s magnitude strikes, context provided by this information is the key to helping security analysts accelerate decision-making.

3. Programmatic Access to Threat Intelligence

A threat intelligence solution should be able to quickly turn insight into action, with access to an application program interface (API) to integrate relevant threat data into security tools. The API should be flexible and support open standards such as STIX/TAXII for easy integration into existing solutions. This helps streamline investigations and threat research in the security operations center (SOC).

4. Collaborative Platform for Teaming

Don’t be outmatched by collaborative cybergangs. Security investigation is a team game, and it requires a platform that enables both public and private sharing to orchestrate workflows and structure response. Whether it’s building a private group, adding proprietary threat research or organizing by subgroups, make sure your threat intelligence platform can support collaboration in the SOC.

5. Analysis of Suspicious Files

In 2016, the IBM X-Force Research team revealed that nearly 65 percent of all spam messages contained ransomware. Before you click the next suspicious attachment, gain assurance with a cloud-based, scalable malware sandbox that provides behavior-based visibility and detailed reporting to help you take action. As malware becomes trickier and more evasive, gaining insight into malicious files traversing the network becomes a priority.

Controlling the Chaos in the SOC

During WannaCry, security analysts and researchers from around the world leveraged intelligence sharing tools to follow and integrate critical threat data. Solutions that offer watchlist functionality, a representational state transfer (REST)-based API that supports open standards, third-party integrations for additional context, public and private groups to enable collaboration, and a malware sandbox to help scan suspicious files deliver the right capabilities to help your SOC get through both the normal days and the inevitable chaos.

Watch our on-demand webinar, “The Daily Life of a SOC Analyst,” to learn how you can put X-Force Exchange to work during the next big outbreak.

More from Threat Intelligence

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Hive0137 and AI-supplemented malware distribution

12 min read - IBM X-Force tracks dozens of threat actor groups. One group in particular, tracked by X-Force as Hive0137, has been a highly active malware distributor since at least October 2023. Nominated by X-Force as having the “Most Complex Infection Chain” in a campaign in 2023, Hive0137 campaigns deliver DarkGate, NetSupport, T34-Loader and Pikabot malware payloads, some of which are likely used for initial access in ransomware attacks. The crypters used in the infection chains also suggest a close relationship with former…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today