It’s been nearly six months since the WannaCry ransomware stole global headlines and thousands of security practitioners flocked to threat intelligence feeds to help streamline their investigations. While the security community has learned many valuable lessons from the attack, it’s impossible to say that a strike of this magnitude won’t happen again.
Five Must-Haves in a Threat Intelligence Platform
The average cost of a data breach still sits north of $3.6 million, so the return on a successful cyberattack merits the risk in the cybercrime market. Make sure your threat intelligence solution can provide the following capabilities to help you address, track and investigate the next big attack if and when it occurs.
1. Notifications for Relevant Vulnerabilities
Despite the shock, WannaCry was yet another exploit of a known vulnerability. In fact, Microsoft had issued a patch for the flaw two months earlier. An effective threat intelligence solution should allow you to stay up to date on all vulnerability releases specific to your enterprise platforms so you can prevent instead of respond.
Watch the on-demand webinar: The Daily life of a SOC Analyst
2. Repositories for Critical Security Research
Security analysts have their go-to repositories and third-party feeds to obtain the latest threat intelligence. A threat intelligence platform should be able to consolidate this information to supply both machine-generated, tactical intelligence — such as malicious IPs, URLs, vulnerabilities and malware — and human-generated, strategic intelligence — such as actors, campaigns, tactics, and technology and procedures (TTPs). When a breach of WannaCry’s magnitude strikes, context provided by this information is the key to helping security analysts accelerate decision-making.
3. Programmatic Access to Threat Intelligence
A threat intelligence solution should be able to quickly turn insight into action, with access to an application program interface (API) to integrate relevant threat data into security tools. The API should be flexible and support open standards such as STIX/TAXII for easy integration into existing solutions. This helps streamline investigations and threat research in the security operations center (SOC).
4. Collaborative Platform for Teaming
Don’t be outmatched by collaborative cybergangs. Security investigation is a team game, and it requires a platform that enables both public and private sharing to orchestrate workflows and structure response. Whether it’s building a private group, adding proprietary threat research or organizing by subgroups, make sure your threat intelligence platform can support collaboration in the SOC.
5. Analysis of Suspicious Files
In 2016, the IBM X-Force Research team revealed that nearly 65 percent of all spam messages contained ransomware. Before you click the next suspicious attachment, gain assurance with a cloud-based, scalable malware sandbox that provides behavior-based visibility and detailed reporting to help you take action. As malware becomes trickier and more evasive, gaining insight into malicious files traversing the network becomes a priority.
Controlling the Chaos in the SOC
During WannaCry, security analysts and researchers from around the world leveraged intelligence sharing tools to follow and integrate critical threat data. Solutions that offer watchlist functionality, a representational state transfer (REST)-based API that supports open standards, third-party integrations for additional context, public and private groups to enable collaboration, and a malware sandbox to help scan suspicious files deliver the right capabilities to help your SOC get through both the normal days and the inevitable chaos.
Watch our on-demand webinar, “The Daily Life of a SOC Analyst,” to learn how you can put X-Force Exchange to work during the next big outbreak.
Product Manager, IBM
Christian Falco is a Product Manager with IBM Security, working across the X-Force Threat Intelligence portfolio. He has nearly ten years of experience in pr...