Turn Scrap Paper Into Security Investigations With IBM X-Force Threat Intelligence
Authored by Stefan Walter, Front-End Developer, IBM Security.
According to a recent study from Enterprise Strategy Group (ESG), nearly one-third of organizations have trouble operationalizing threat intelligence despite the plethora of sources of threat data. Open standards have helped tremendously in the effort to incorporate threat intelligence into existing security solutions. In fact, over 50 vendors on the IBM X-Force Exchange are listed on the OASIS site as compatible with Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Indicator Information (TAXII). Open standards, however, can’t fix the research needed on the front end to actually investigate an incident.
X-Force Exchange Continues to Evolve
One of the major outcomes of the research IBM conducted when preparing to launch the X-Force Exchange was the crystallized image of a pile of scrap paper with frantic scribblings on it. Results from random internet searches, snippets overheard at a lunch with colleagues and notes from other employees do not make a cohesive investigation. It became clear that all the external threat data in the world would not help solve any security problems if it couldn’t get from that scrap paper into a security tool to enact blocking or protective actions.
Collections in the X-Force Exchange represent many things now, from private user investigations to formal X-Force advisories covering new vulnerabilities, malware campaigns and other significant concerns in the threat landscape. The Exchange has evolved to allow users to share reports on tactical observables, such as IP addresses, Domain Name Server (DNS) reports, vulnerabilities and malware file information. Users can also exchange human-generated context and related files with as wide a range of community as they’d like.
Introducing the Quick Collection Feature
Often when you start investigating a potential security issue, you start your journey with one observable, be it an IP or URL you saw in a spam email or in your security information and event management (SIEM) logs, as an entry down the rabbit hole. You might find other clues, such as malware file hashes affiliated with a host IP address or known exploits for a particular vulnerability, and follow those tracks.
With the new Quick Collection feature on the X-Force Exchange, it’s easier to combine research findings into one collection. You can see your recently viewed reports and decide what’s worth adding to the collection and what’s not worth investigating further. You can create the collection from there and start working on a fresh one where all the relevant reports are already attached, then add details to fill in the gaps.
Once created, you can continue working with the collection as usual and invite individual colleagues or peers to add insights. There’s also the ability to join a private group to engage in collaborative defense. You can even share the collection publicly to pass on important findings with a broad audience or gain detailed insights from other researchers.
How to Use the Quick Collection Feature
On every page, there is a new folder/collection icon in the top right next to your profile image and the notification button. Clicking this icon will open a panel where you can view your recently visited reports. By clicking on the check box next to the reports, you can indicate what reports you want to add to the collection. Enter a name for the collection in the input field below and click the button labeled “Create.” After the collection is created, you will see the reports already attached.
To try the new quick collection feature, visit the IBM X-Force Exchange and check out our on-demand webinar, “Transform Threat Intelligence Into Prevention In Minutes,” to learn more about applying threat intelligence to security investigations.