April 16, 2015 By Doron Shiloach 3 min read

According to Gartner’s Rob McMillan, threat intelligence is defined as “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”

While this definition is fairly new, the concept of threat intelligence has been around for as long as security professionals have looked for information to help their investigations by detecting and preventing attacks such as compromised systems and data exfiltration.

From this perspective, one source of threat intelligence is the company’s internal networks. Another is the vast amount of information that exists outside that system, such as information collected by honeypots, spam traps, Web crawlers specialized for identifying malware and monitoring hacking forums.

In the past few years, threat intelligence has started to mature from a marketplace and security user perspective in terms of how to best gather, organize, share and identify sources of threat intelligence. Sharing is one of the most exciting aspects of threat intelligence, as companies recognize that collaboration is important, and standards emerge to make it easier and faster to share information. With that, threat intelligence feeds and platforms have emerged as a new market for these products and services.

Experience the brand new IBM X-Force Exchange

Threat Intelligence Sharing: The New Normal

Threat sharing isn’t new; cybercriminals have been doing it for decades without legislation. This revelation refers to the recent announcement of a new Cyber Threat Intelligence Integration Center, and unfortunately, it’s true. While this is a significant step for coordinating and sharing cyberthreats in the government space, attackers are quite comfortable sharing and exchanging information, whether on malware techniques or the latest breaches.

Now that the good guys are similarly looking at sharing as an imperative duty, we are faced with the task of identifying the means by which the industry can best enable effective collaboration. People must have access to the right type of threat intelligence for their organization that fits into their existing frameworks for social networking so they can quickly benefit from the exchange of information in ways that help their organization.

Open

The openness in threat intelligence sharing comes from the availability of the information itself and the means by which users can obtain that information.

With threat intelligence, there is both significant breadth and depth of information that is important to users. As an example of the breadth of information, the most common indicators include IP addresses, domain names, URLs, registry settings, email addresses, HTTP user agents, file hashes and file names. There is depth of information associated with each of these, such as the historical context, as well as the pivoting between them to allow for the real understanding of how they relate to each other. This can lead to insights on tactics and techniques.

Given the variety of information and its dynamic nature, as a consumer of threat intelligence, this information should be the most comprehensive, highest-fidelity and most up-to-date content possible. Aside from the information itself, there is also the platform with which users obtain and share that information, enabling collaboration in a social manner.

Social

Social networking first began to appear in 1994, when GeoCities was created. Social media has evolved significantly since then. While that site and some of the others that followed (theGlobe.com and Friendster) were not necessarily commercially successful, they all helped foster a level of comfort when interacting with other users on the Internet. Tools such as forums, user profiles, bookmarking, curation and wikis are now so second nature to us that we’ve forgotten they were once new and innovative.

The sharing of threat intelligence should also build on these tools while still adapting and extending them in new ways that can provide new capabilities, specific to the security use cases. For example, the established concepts of controlling with whom we share which pieces of information is an essential aspect of any collaborative platform. Building specific constructs for the curation and organization of information for security use cases can further extend an existing capability.

https://www.youtube.com/watch?v=xwcoUfU56N4

Actionable

The sharing of threat intelligence should ultimately lead to tactical actions that help organizations further protect their users and infrastructure. To reiterate, because the stakes are much higher with security information, it is important to have a seamlessly flowing process.

For example, providing additional context on an indicator that has been brought to a user’s attention, whether from a security tool or another user, helps the user make a decision on how to further use that information. Extending this to action naturally leads to programmatic access and application programming interface integration, which helps organizations make better and quicker decisions.

Threat intelligence has become an essential aspect of any organization’s security program. The sharing of that threat intelligence to further enhance and gain value from it will increasingly become the norm. Today, X-Force is launching a new cloud-based threat intelligence platform, IBM X-Force Exchange, to help encourage and facilitate the sharing of threat intelligence while addressing the principles of open, social and actionable sharing. Learn more by trying it out online or reading the press release.

More from X-Force

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Getting “in tune” with an enterprise: Detecting Intune lateral movement

13 min read - Organizations continue to implement cloud-based services, a shift that has led to the wider adoption of hybrid identity environments that connect on-premises Active Directory with Microsoft Entra ID (formerly Azure AD). To manage devices in these hybrid identity environments, Microsoft Intune (Intune) has emerged as one of the most popular device management solutions. Since this trusted enterprise platform can easily be integrated with on-premises Active Directory devices and services, it is a prime target for attackers to abuse for conducting…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today