Light Dark
April 16, 2015 By Doron Shiloach 3 min read
X-Force

According to Gartner’s Rob McMillan, threat intelligence is defined as “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”

While this definition is fairly new, the concept of threat intelligence has been around for as long as security professionals have looked for information to help their investigations by detecting and preventing attacks such as compromised systems and data exfiltration.

From this perspective, one source of threat intelligence is the company’s internal networks. Another is the vast amount of information that exists outside that system, such as information collected by honeypots, spam traps, Web crawlers specialized for identifying malware and monitoring hacking forums.

In the past few years, threat intelligence has started to mature from a marketplace and security user perspective in terms of how to best gather, organize, share and identify sources of threat intelligence. Sharing is one of the most exciting aspects of threat intelligence, as companies recognize that collaboration is important, and standards emerge to make it easier and faster to share information. With that, threat intelligence feeds and platforms have emerged as a new market for these products and services.

Experience the brand new IBM X-Force Exchange

Threat Intelligence Sharing: The New Normal

Threat sharing isn’t new; cybercriminals have been doing it for decades without legislation. This revelation refers to the recent announcement of a new Cyber Threat Intelligence Integration Center, and unfortunately, it’s true. While this is a significant step for coordinating and sharing cyberthreats in the government space, attackers are quite comfortable sharing and exchanging information, whether on malware techniques or the latest breaches.

Now that the good guys are similarly looking at sharing as an imperative duty, we are faced with the task of identifying the means by which the industry can best enable effective collaboration. People must have access to the right type of threat intelligence for their organization that fits into their existing frameworks for social networking so they can quickly benefit from the exchange of information in ways that help their organization.

Open

The openness in threat intelligence sharing comes from the availability of the information itself and the means by which users can obtain that information.

With threat intelligence, there is both significant breadth and depth of information that is important to users. As an example of the breadth of information, the most common indicators include IP addresses, domain names, URLs, registry settings, email addresses, HTTP user agents, file hashes and file names. There is depth of information associated with each of these, such as the historical context, as well as the pivoting between them to allow for the real understanding of how they relate to each other. This can lead to insights on tactics and techniques.

Given the variety of information and its dynamic nature, as a consumer of threat intelligence, this information should be the most comprehensive, highest-fidelity and most up-to-date content possible. Aside from the information itself, there is also the platform with which users obtain and share that information, enabling collaboration in a social manner.

Social

Social networking first began to appear in 1994, when GeoCities was created. Social media has evolved significantly since then. While that site and some of the others that followed (theGlobe.com and Friendster) were not necessarily commercially successful, they all helped foster a level of comfort when interacting with other users on the Internet. Tools such as forums, user profiles, bookmarking, curation and wikis are now so second nature to us that we’ve forgotten they were once new and innovative.

The sharing of threat intelligence should also build on these tools while still adapting and extending them in new ways that can provide new capabilities, specific to the security use cases. For example, the established concepts of controlling with whom we share which pieces of information is an essential aspect of any collaborative platform. Building specific constructs for the curation and organization of information for security use cases can further extend an existing capability.

https://www.youtube.com/watch?v=xwcoUfU56N4

Actionable

The sharing of threat intelligence should ultimately lead to tactical actions that help organizations further protect their users and infrastructure. To reiterate, because the stakes are much higher with security information, it is important to have a seamlessly flowing process.

For example, providing additional context on an indicator that has been brought to a user’s attention, whether from a security tool or another user, helps the user make a decision on how to further use that information. Extending this to action naturally leads to programmatic access and application programming interface integration, which helps organizations make better and quicker decisions.

Threat intelligence has become an essential aspect of any organization’s security program. The sharing of that threat intelligence to further enhance and gain value from it will increasingly become the norm. Today, X-Force is launching a new cloud-based threat intelligence platform, IBM X-Force Exchange, to help encourage and facilitate the sharing of threat intelligence while addressing the principles of open, social and actionable sharing. Learn more by trying it out online or reading the press release.

 |  |  |  |  |  |  | 
Doron Shiloach
X-Force Product Manager, IBM

More from X-Force
July 26, 2024

Hive0137 and AI-supplemented malware distribution

12 min read - IBM X-Force tracks dozens of threat actor groups. One group in particular, tracked by X-Force as Hive0137, has been a highly active malware distributor since at least October 2023. Nominated by X-Force as having the “Most Complex Infection Chain” in a campaign in 2023, Hive0137 campaigns deliver DarkGate, NetSupport, T34-Loader and Pikabot malware payloads, some of which are likely used for initial access in ransomware attacks. The crypters used in the infection chains also suggest a close relationship with former…

June 13, 2024

Q&A with Valentina Palmiotti, aka chompie

4 min read - The Pwn2Own computer hacking contest has been around since 2007, and during that time, there has never been a female to score a full win — until now.This milestone was reached at Pwn2Own 2024 in Vancouver, where two women, Valentina Palmiotti and Emma Kirkpatrick, each secured full wins by exploiting kernel vulnerabilities in Microsoft Windows 11. Prior to this year, only Amy Burnett and Alisa Esage had competed in the contest's 17-year history, with Esage achieving a partial win in…

June 6, 2024

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature