Authored by Stefan Walter, Front-End Developer, IBM Security.

According to a recent study from Enterprise Strategy Group (ESG), nearly one-third of organizations have trouble operationalizing threat intelligence despite the plethora of sources of threat data. Open standards have helped tremendously in the effort to incorporate threat intelligence into existing security solutions. In fact, over 50 vendors on the IBM X-Force Exchange are listed on the OASIS site as compatible with Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Indicator Information (TAXII). Open standards, however, can’t fix the research needed on the front end to actually investigate an incident.

X-Force Exchange Continues to Evolve

One of the major outcomes of the research IBM conducted when preparing to launch the X-Force Exchange was the crystallized image of a pile of scrap paper with frantic scribblings on it. Results from random internet searches, snippets overheard at a lunch with colleagues and notes from other employees do not make a cohesive investigation. It became clear that all the external threat data in the world would not help solve any security problems if it couldn’t get from that scrap paper into a security tool to enact blocking or protective actions.

Collections in the X-Force Exchange represent many things now, from private user investigations to formal X-Force advisories covering new vulnerabilities, malware campaigns and other significant concerns in the threat landscape. The Exchange has evolved to allow users to share reports on tactical observables, such as IP addresses, Domain Name Server (DNS) reports, vulnerabilities and malware file information. Users can also exchange human-generated context and related files with as wide a range of community as they’d like.

Watch the on-demand webinar: Transform Threat Intelligence Into Prevention In Minutes

Introducing the Quick Collection Feature

Often when you start investigating a potential security issue, you start your journey with one observable, be it an IP or URL you saw in a spam email or in your security information and event management (SIEM) logs, as an entry down the rabbit hole. You might find other clues, such as malware file hashes affiliated with a host IP address or known exploits for a particular vulnerability, and follow those tracks.

With the new Quick Collection feature on the X-Force Exchange, it’s easier to combine research findings into one collection. You can see your recently viewed reports and decide what’s worth adding to the collection and what’s not worth investigating further. You can create the collection from there and start working on a fresh one where all the relevant reports are already attached, then add details to fill in the gaps.

Once created, you can continue working with the collection as usual and invite individual colleagues or peers to add insights. There’s also the ability to join a private group to engage in collaborative defense. You can even share the collection publicly to pass on important findings with a broad audience or gain detailed insights from other researchers.

How to Use the Quick Collection Feature

On every page, there is a new folder/collection icon in the top right next to your profile image and the notification button. Clicking this icon will open a panel where you can view your recently visited reports. By clicking on the check box next to the reports, you can indicate what reports you want to add to the collection. Enter a name for the collection in the input field below and click the button labeled “Create.” After the collection is created, you will see the reports already attached.

To try the new quick collection feature, visit the IBM X-Force Exchange and check out our on-demand webinar, “Transform Threat Intelligence Into Prevention In Minutes,” to learn more about applying threat intelligence to security investigations.

More from Threat Intelligence

Smoltalk: RCE in open source agents

26 min read - Big shoutout to Hugging Face and the smolagents team for their cooperation and quick turnaround for a fix! Introduction Recently, I have been working on a side project to automate some pentest reconnaissance with AI agents. Just after I started this project, Hugging Face announced the release of smolagents, a lightweight framework for building AI agents that implements the methodology described in the ReAct paper, emphasizing reasoning through iterative decision-making. Interestingly, smolagents enables agents to reason and act by generating…

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today