It’s been nearly six months since the WannaCry ransomware stole global headlines and thousands of security practitioners flocked to threat intelligence feeds to help streamline their investigations. While the security community has learned many valuable lessons from the attack, it’s impossible to say that a strike of this magnitude won’t happen again.

Five Must-Haves in a Threat Intelligence Platform

The average cost of a data breach still sits north of $3.6 million, so the return on a successful cyberattack merits the risk in the cybercrime market. Make sure your threat intelligence solution can provide the following capabilities to help you address, track and investigate the next big attack if and when it occurs.

1. Notifications for Relevant Vulnerabilities

Despite the shock, WannaCry was yet another exploit of a known vulnerability. In fact, Microsoft had issued a patch for the flaw two months earlier. An effective threat intelligence solution should allow you to stay up to date on all vulnerability releases specific to your enterprise platforms so you can prevent instead of respond.

Watch the on-demand webinar: The Daily life of a SOC Analyst

2. Repositories for Critical Security Research

Security analysts have their go-to repositories and third-party feeds to obtain the latest threat intelligence. A threat intelligence platform should be able to consolidate this information to supply both machine-generated, tactical intelligence — such as malicious IPs, URLs, vulnerabilities and malware — and human-generated, strategic intelligence — such as actors, campaigns, tactics, and technology and procedures (TTPs). When a breach of WannaCry’s magnitude strikes, context provided by this information is the key to helping security analysts accelerate decision-making.

3. Programmatic Access to Threat Intelligence

A threat intelligence solution should be able to quickly turn insight into action, with access to an application program interface (API) to integrate relevant threat data into security tools. The API should be flexible and support open standards such as STIX/TAXII for easy integration into existing solutions. This helps streamline investigations and threat research in the security operations center (SOC).

4. Collaborative Platform for Teaming

Don’t be outmatched by collaborative cybergangs. Security investigation is a team game, and it requires a platform that enables both public and private sharing to orchestrate workflows and structure response. Whether it’s building a private group, adding proprietary threat research or organizing by subgroups, make sure your threat intelligence platform can support collaboration in the SOC.

5. Analysis of Suspicious Files

In 2016, the IBM X-Force Research team revealed that nearly 65 percent of all spam messages contained ransomware. Before you click the next suspicious attachment, gain assurance with a cloud-based, scalable malware sandbox that provides behavior-based visibility and detailed reporting to help you take action. As malware becomes trickier and more evasive, gaining insight into malicious files traversing the network becomes a priority.

Controlling the Chaos in the SOC

During WannaCry, security analysts and researchers from around the world leveraged intelligence sharing tools to follow and integrate critical threat data. Solutions that offer watchlist functionality, a representational state transfer (REST)-based API that supports open standards, third-party integrations for additional context, public and private groups to enable collaboration, and a malware sandbox to help scan suspicious files deliver the right capabilities to help your SOC get through both the normal days and the inevitable chaos.

Watch our on-demand webinar, “The Daily Life of a SOC Analyst,” to learn how you can put X-Force Exchange to work during the next big outbreak.

More from Intelligence & Analytics

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Despite Tech Layoffs, Cybersecurity Positions are Hiring

4 min read - It’s easy to read today’s headlines and think that now isn’t the best time to look for a job in the tech industry. However, that’s not necessarily true. When you read deeper into the stories and numbers, cybersecurity positions are still very much in demand. Cybersecurity professionals are landing jobs every day, and IT professionals from other roles may be able to transfer their skills into cybersecurity relatively easily. As cybersecurity continues to remain a top business priority, organizations will…

4 min read

79% of Cyber Pros Make Decisions Without Threat Intelligence

4 min read - In a recent report, 79% of security pros say they make decisions without adversary insights “at least the majority of the time.” Why aren’t companies effectively leveraging threat intelligence? And does the C-Suite know this is going on? It’s not unusual for attackers to stay concealed within an organization’s computer systems for extended periods of time. And if their methods and behavioral patterns are unfamiliar, they can cause significant harm before the security team even realizes a breach has occurred.…

4 min read

Why People Skills Matter as Much as Industry Experience

4 min read - As the project manager at a large tech company, I always went to Jim when I needed help. While others on my team had more technical expertise, Jim was easy to work with. He explained technical concepts in a way anyone could understand and patiently answered my seemingly endless questions. We spent many hours collaborating and brainstorming ideas about product features as well as new processes for the team. But Jim was especially valuable when I needed help with other…

4 min read