April 16, 2015 By Doron Shiloach 3 min read

According to Gartner’s Rob McMillan, threat intelligence is defined as “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”

While this definition is fairly new, the concept of threat intelligence has been around for as long as security professionals have looked for information to help their investigations by detecting and preventing attacks such as compromised systems and data exfiltration.

From this perspective, one source of threat intelligence is the company’s internal networks. Another is the vast amount of information that exists outside that system, such as information collected by honeypots, spam traps, Web crawlers specialized for identifying malware and monitoring hacking forums.

In the past few years, threat intelligence has started to mature from a marketplace and security user perspective in terms of how to best gather, organize, share and identify sources of threat intelligence. Sharing is one of the most exciting aspects of threat intelligence, as companies recognize that collaboration is important, and standards emerge to make it easier and faster to share information. With that, threat intelligence feeds and platforms have emerged as a new market for these products and services.

Experience the brand new IBM X-Force Exchange

Threat Intelligence Sharing: The New Normal

Threat sharing isn’t new; cybercriminals have been doing it for decades without legislation. This revelation refers to the recent announcement of a new Cyber Threat Intelligence Integration Center, and unfortunately, it’s true. While this is a significant step for coordinating and sharing cyberthreats in the government space, attackers are quite comfortable sharing and exchanging information, whether on malware techniques or the latest breaches.

Now that the good guys are similarly looking at sharing as an imperative duty, we are faced with the task of identifying the means by which the industry can best enable effective collaboration. People must have access to the right type of threat intelligence for their organization that fits into their existing frameworks for social networking so they can quickly benefit from the exchange of information in ways that help their organization.


The openness in threat intelligence sharing comes from the availability of the information itself and the means by which users can obtain that information.

With threat intelligence, there is both significant breadth and depth of information that is important to users. As an example of the breadth of information, the most common indicators include IP addresses, domain names, URLs, registry settings, email addresses, HTTP user agents, file hashes and file names. There is depth of information associated with each of these, such as the historical context, as well as the pivoting between them to allow for the real understanding of how they relate to each other. This can lead to insights on tactics and techniques.

Given the variety of information and its dynamic nature, as a consumer of threat intelligence, this information should be the most comprehensive, highest-fidelity and most up-to-date content possible. Aside from the information itself, there is also the platform with which users obtain and share that information, enabling collaboration in a social manner.


Social networking first began to appear in 1994, when GeoCities was created. Social media has evolved significantly since then. While that site and some of the others that followed (theGlobe.com and Friendster) were not necessarily commercially successful, they all helped foster a level of comfort when interacting with other users on the Internet. Tools such as forums, user profiles, bookmarking, curation and wikis are now so second nature to us that we’ve forgotten they were once new and innovative.

The sharing of threat intelligence should also build on these tools while still adapting and extending them in new ways that can provide new capabilities, specific to the security use cases. For example, the established concepts of controlling with whom we share which pieces of information is an essential aspect of any collaborative platform. Building specific constructs for the curation and organization of information for security use cases can further extend an existing capability.



The sharing of threat intelligence should ultimately lead to tactical actions that help organizations further protect their users and infrastructure. To reiterate, because the stakes are much higher with security information, it is important to have a seamlessly flowing process.

For example, providing additional context on an indicator that has been brought to a user’s attention, whether from a security tool or another user, helps the user make a decision on how to further use that information. Extending this to action naturally leads to programmatic access and application programming interface integration, which helps organizations make better and quicker decisions.

Threat intelligence has become an essential aspect of any organization’s security program. The sharing of that threat intelligence to further enhance and gain value from it will increasingly become the norm. Today, X-Force is launching a new cloud-based threat intelligence platform, IBM X-Force Exchange, to help encourage and facilitate the sharing of threat intelligence while addressing the principles of open, social and actionable sharing. Learn more by trying it out online or reading the press release.

More from X-Force

Q&A with Valentina Palmiotti, aka chompie

4 min read - The Pwn2Own computer hacking contest has been around since 2007, and during that time, there has never been a female to score a full win — until now.Valentina Palmiotti, aka chompie, changed that. At the March 2024 competition, Palmiotti scored a full win with her discovery of an Improper Update of Reference Count bug to escalate privileges on Windows 11. It was her first time entering Pwn2Own.Pwn2Own is considered one of the most — if not the most — prestigious…

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today