It’s been nearly six months since the WannaCry ransomware stole global headlines and thousands of security practitioners flocked to threat intelligence feeds to help streamline their investigations. While the security community has learned many valuable lessons from the attack, it’s impossible to say that a strike of this magnitude won’t happen again.

Five Must-Haves in a Threat Intelligence Platform

The average cost of a data breach still sits north of $3.6 million, so the return on a successful cyberattack merits the risk in the cybercrime market. Make sure your threat intelligence solution can provide the following capabilities to help you address, track and investigate the next big attack if and when it occurs.

1. Notifications for Relevant Vulnerabilities

Despite the shock, WannaCry was yet another exploit of a known vulnerability. In fact, Microsoft had issued a patch for the flaw two months earlier. An effective threat intelligence solution should allow you to stay up to date on all vulnerability releases specific to your enterprise platforms so you can prevent instead of respond.

Watch the on-demand webinar: The Daily life of a SOC Analyst

2. Repositories for Critical Security Research

Security analysts have their go-to repositories and third-party feeds to obtain the latest threat intelligence. A threat intelligence platform should be able to consolidate this information to supply both machine-generated, tactical intelligence — such as malicious IPs, URLs, vulnerabilities and malware — and human-generated, strategic intelligence — such as actors, campaigns, tactics, and technology and procedures (TTPs). When a breach of WannaCry’s magnitude strikes, context provided by this information is the key to helping security analysts accelerate decision-making.

3. Programmatic Access to Threat Intelligence

A threat intelligence solution should be able to quickly turn insight into action, with access to an application program interface (API) to integrate relevant threat data into security tools. The API should be flexible and support open standards such as STIX/TAXII for easy integration into existing solutions. This helps streamline investigations and threat research in the security operations center (SOC).

4. Collaborative Platform for Teaming

Don’t be outmatched by collaborative cybergangs. Security investigation is a team game, and it requires a platform that enables both public and private sharing to orchestrate workflows and structure response. Whether it’s building a private group, adding proprietary threat research or organizing by subgroups, make sure your threat intelligence platform can support collaboration in the SOC.

5. Analysis of Suspicious Files

In 2016, the IBM X-Force Research team revealed that nearly 65 percent of all spam messages contained ransomware. Before you click the next suspicious attachment, gain assurance with a cloud-based, scalable malware sandbox that provides behavior-based visibility and detailed reporting to help you take action. As malware becomes trickier and more evasive, gaining insight into malicious files traversing the network becomes a priority.

Controlling the Chaos in the SOC

During WannaCry, security analysts and researchers from around the world leveraged intelligence sharing tools to follow and integrate critical threat data. Solutions that offer watchlist functionality, a representational state transfer (REST)-based API that supports open standards, third-party integrations for additional context, public and private groups to enable collaboration, and a malware sandbox to help scan suspicious files deliver the right capabilities to help your SOC get through both the normal days and the inevitable chaos.

Watch our on-demand webinar, “The Daily Life of a SOC Analyst,” to learn how you can put X-Force Exchange to work during the next big outbreak.

More from Threat Intelligence

Hive0051 goes all in with a triple threat

13 min read - As of April 2024, IBM X-Force is tracking new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity featuring new iterations of Gamma malware first observed in November 2023. These discoveries follow late October 2023 findings, detailing Hive0051's use of a novel multi-channel method of rapidly rotating C2 infrastructure (DNS Fluxing) to deliver new Gamma malware variants, facilitating more than a thousand infections in a single day. An examination of a sample of the lures associated with the ongoing activity reveals…

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

CVE-2023-20078 technical analysis: Identifying and triggering a command injection vulnerability in Cisco IP phones

7 min read - CVE-2023-20078 catalogs an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones with Multiplatform Firmware installed; however, limited technical analysis is publicly available. This article presents my findings while researching this vulnerability. In the end, the reader should be equipped with the information necessary to understand and trigger this vulnerability.Vulnerability detailsThe following Cisco Security Advisory (Cisco IP Phone 6800, 7800, and 8800 Series Web UI Vulnerabilities - Cisco) details CVE-2023-20078 and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today