Authored by Stefan Walter, Front-End Developer, IBM Security.

According to a recent study from Enterprise Strategy Group (ESG), nearly one-third of organizations have trouble operationalizing threat intelligence despite the plethora of sources of threat data. Open standards have helped tremendously in the effort to incorporate threat intelligence into existing security solutions. In fact, over 50 vendors on the IBM X-Force Exchange are listed on the OASIS site as compatible with Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Indicator Information (TAXII). Open standards, however, can’t fix the research needed on the front end to actually investigate an incident.

X-Force Exchange Continues to Evolve

One of the major outcomes of the research IBM conducted when preparing to launch the X-Force Exchange was the crystallized image of a pile of scrap paper with frantic scribblings on it. Results from random internet searches, snippets overheard at a lunch with colleagues and notes from other employees do not make a cohesive investigation. It became clear that all the external threat data in the world would not help solve any security problems if it couldn’t get from that scrap paper into a security tool to enact blocking or protective actions.

Collections in the X-Force Exchange represent many things now, from private user investigations to formal X-Force advisories covering new vulnerabilities, malware campaigns and other significant concerns in the threat landscape. The Exchange has evolved to allow users to share reports on tactical observables, such as IP addresses, Domain Name Server (DNS) reports, vulnerabilities and malware file information. Users can also exchange human-generated context and related files with as wide a range of community as they’d like.

Watch the on-demand webinar: Transform Threat Intelligence Into Prevention In Minutes

Introducing the Quick Collection Feature

Often when you start investigating a potential security issue, you start your journey with one observable, be it an IP or URL you saw in a spam email or in your security information and event management (SIEM) logs, as an entry down the rabbit hole. You might find other clues, such as malware file hashes affiliated with a host IP address or known exploits for a particular vulnerability, and follow those tracks.

With the new Quick Collection feature on the X-Force Exchange, it’s easier to combine research findings into one collection. You can see your recently viewed reports and decide what’s worth adding to the collection and what’s not worth investigating further. You can create the collection from there and start working on a fresh one where all the relevant reports are already attached, then add details to fill in the gaps.

Once created, you can continue working with the collection as usual and invite individual colleagues or peers to add insights. There’s also the ability to join a private group to engage in collaborative defense. You can even share the collection publicly to pass on important findings with a broad audience or gain detailed insights from other researchers.

How to Use the Quick Collection Feature

On every page, there is a new folder/collection icon in the top right next to your profile image and the notification button. Clicking this icon will open a panel where you can view your recently visited reports. By clicking on the check box next to the reports, you can indicate what reports you want to add to the collection. Enter a name for the collection in the input field below and click the button labeled “Create.” After the collection is created, you will see the reports already attached.

To try the new quick collection feature, visit the IBM X-Force Exchange and check out our on-demand webinar, “Transform Threat Intelligence Into Prevention In Minutes,” to learn more about applying threat intelligence to security investigations.

More from Threat Intelligence

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Hive0137 and AI-supplemented malware distribution

12 min read - IBM X-Force tracks dozens of threat actor groups. One group in particular, tracked by X-Force as Hive0137, has been a highly active malware distributor since at least October 2023. Nominated by X-Force as having the “Most Complex Infection Chain” in a campaign in 2023, Hive0137 campaigns deliver DarkGate, NetSupport, T34-Loader and Pikabot malware payloads, some of which are likely used for initial access in ransomware attacks. The crypters used in the infection chains also suggest a close relationship with former…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today