It’s been nearly six months since the WannaCry ransomware stole global headlines and thousands of security practitioners flocked to threat intelligence feeds to help streamline their investigations. While the security community has learned many valuable lessons from the attack, it’s impossible to say that a strike of this magnitude won’t happen again.

Five Must-Haves in a Threat Intelligence Platform

The average cost of a data breach still sits north of $3.6 million, so the return on a successful cyberattack merits the risk in the cybercrime market. Make sure your threat intelligence solution can provide the following capabilities to help you address, track and investigate the next big attack if and when it occurs.

1. Notifications for Relevant Vulnerabilities

Despite the shock, WannaCry was yet another exploit of a known vulnerability. In fact, Microsoft had issued a patch for the flaw two months earlier. An effective threat intelligence solution should allow you to stay up to date on all vulnerability releases specific to your enterprise platforms so you can prevent instead of respond.

Watch the on-demand webinar: The Daily life of a SOC Analyst

2. Repositories for Critical Security Research

Security analysts have their go-to repositories and third-party feeds to obtain the latest threat intelligence. A threat intelligence platform should be able to consolidate this information to supply both machine-generated, tactical intelligence — such as malicious IPs, URLs, vulnerabilities and malware — and human-generated, strategic intelligence — such as actors, campaigns, tactics, and technology and procedures (TTPs). When a breach of WannaCry’s magnitude strikes, context provided by this information is the key to helping security analysts accelerate decision-making.

3. Programmatic Access to Threat Intelligence

A threat intelligence solution should be able to quickly turn insight into action, with access to an application program interface (API) to integrate relevant threat data into security tools. The API should be flexible and support open standards such as STIX/TAXII for easy integration into existing solutions. This helps streamline investigations and threat research in the security operations center (SOC).

4. Collaborative Platform for Teaming

Don’t be outmatched by collaborative cybergangs. Security investigation is a team game, and it requires a platform that enables both public and private sharing to orchestrate workflows and structure response. Whether it’s building a private group, adding proprietary threat research or organizing by subgroups, make sure your threat intelligence platform can support collaboration in the SOC.

5. Analysis of Suspicious Files

In 2016, the IBM X-Force Research team revealed that nearly 65 percent of all spam messages contained ransomware. Before you click the next suspicious attachment, gain assurance with a cloud-based, scalable malware sandbox that provides behavior-based visibility and detailed reporting to help you take action. As malware becomes trickier and more evasive, gaining insight into malicious files traversing the network becomes a priority.

Controlling the Chaos in the SOC

During WannaCry, security analysts and researchers from around the world leveraged intelligence sharing tools to follow and integrate critical threat data. Solutions that offer watchlist functionality, a representational state transfer (REST)-based API that supports open standards, third-party integrations for additional context, public and private groups to enable collaboration, and a malware sandbox to help scan suspicious files deliver the right capabilities to help your SOC get through both the normal days and the inevitable chaos.

Watch our on-demand webinar, “The Daily Life of a SOC Analyst,” to learn how you can put X-Force Exchange to work during the next big outbreak.

More from Intelligence & Analytics

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…

What Can We Learn From Recent Cyber History?

The Center for Strategic and International Studies compiled a list of significant cyber incidents dating back to 2003. Compiling attacks on government agencies, defense and high-tech companies or economic crimes with losses of more than a million dollars, this list reveals broader trends in cybersecurity for the past two decades. And, of course, there are the headline breaches and supply chain attacks to consider. Over recent years, what lessons can we learn from our recent history — and what projections…

When Logs Are Out, Enhanced Analytics Stay In

I was talking to an analyst firm the other day. They told me that a lot of organizations purchase a security information and event management (SIEM) solution and then “place it on the shelf.” “Why would they do that?” I asked. I spent the majority of my career in hardware — enterprise hardware, cloud hardware, and just recently made the jump to security software, hence my question. “Because SIEMs are hard to use. A SIEM purchase is just a checked…

4 Most Common Cyberattack Patterns from 2022

As 2022 comes to an end, cybersecurity teams globally are taking the opportunity to reflect on the past 12 months and draw whatever conclusions and insights they can about the threat landscape. It has been a challenging year for security teams. A major conflict in Europe, a persistently remote workforce and a series of large-scale cyberattacks have all but guaranteed that 2022 was far from uneventful. In this article, we’ll round up some of the most common cyberattack patterns we…