Full disclosure: I would not eat guacamole for years because a certain puppet-centric movie I saw as a child had me convinced that it was actually made of frog brains. Once in college, however, seeing guacamole being made completely changed my opinion — unlike a sausage-making demonstration in a rather unfortunate public speaking class that same year of college.

The creamy avocado combined with the brightness of lime juice and the right balance of fresh tomato and onion amounts to perfection. Like guacamole, a security solution needs a perfectly balanced combination of ingredients to maximize the value of the threat intelligence it processes.

But before going down this analogical path, let’s review the key tenet of useful threat intelligence: It must be actionable. That means the right intelligence at the right time.

Timing Is Everything

Anyone familiar with avocados knows the timing has to be perfect to yield delicious guacamole. The same goes for threat intelligence. If served too soon, both the avocado and threat intelligence are difficult to penetrate and don’t add anything. The right threat intelligence at the wrong time is almost entirely useless. Placing your threat intelligence in a metaphorical brown paper bag with an apple overnight does nothing to help it ripen, either.

At the other end of the spectrum, an overripe avocado served too late is mushy and meaningless. Similarly, threat intelligence that could have been helpful but is received after, or even during, a breach is infuriatingly inadequate. The right time frame for a ripe avocado is two to three days, but that window is even shorter for threat intelligence. Minutes matter when it comes to identifying malicious IP addresses attempting to connect with your network, rogue web applications and malicious files.

Too Much of a Good Thing

We’ve talked before about the signal-to-noise ratio of threat intelligence and how important it is to find and use the right threat intelligence. Likewise, a plethora of avocados that ripen simultaneously is unhelpful, unless you are planning a massive party to help eat all that guacamole.

Security operations center (SOC) analysts and security practitioners need data to make better decisions, but relevant threat intelligence is even more crucial. Otherwise, alerts, notifications and log events just become noise and are ignored. A well-tuned security intelligence solution can help prioritize and bring together different data sources to create meaningful alerts that correlate to known indicators of compromise (IoCs).

Thwarting WannaCry With Threat Intelligence

I could make a really pithy WannaCry and onion association here, but I think I’ve tortured you enough with the avocado and threat intelligence analogy, so let’s skip to the main point.

When WannaCry hit, the research team at IBM X-Force kept a public collection of IoCs and insights updated as new information came to light. It was an excellent source of actionable IP addresses, MD5 checksum hashes and even security product coverage for this ransomware campaign. By taking advantage of collaborative threat intelligence applications and STIX over TAXII protocols, analysts were able to import this public collection into a variety of security information and event management (SIEM) tools to protect their own networks.

The powerful correlation and prioritization capabilities of a threat intelligence app make it easy to identify threats in light of the massive amounts of data being fed into the SIEM, particularly if you aim to improve your ability to make security decisions with context from external threat intelligence.

If you’re an existing QRadar user, I highly recommend checking out the threat intelligence app to take advantage of the corpus of information from X-Force Exchange.  QRadar’s powerful correlation and prioritization capabilities make easy work of identifying threats in light of the massive amounts of data being fed into the SIEM. If you’re not a QRadar user but still want to take advantage of the wide range of threat intelligence available from X-Force Exchange, you can sign up for a free 30-day trial of the X-Force Exchange Commercial API to try it yourself.

Try the QRadar Threat Intelligence App

More from Threat Intelligence

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Hive0137 and AI-supplemented malware distribution

12 min read - IBM X-Force tracks dozens of threat actor groups. One group in particular, tracked by X-Force as Hive0137, has been a highly active malware distributor since at least October 2023. Nominated by X-Force as having the “Most Complex Infection Chain” in a campaign in 2023, Hive0137 campaigns deliver DarkGate, NetSupport, T34-Loader and Pikabot malware payloads, some of which are likely used for initial access in ransomware attacks. The crypters used in the infection chains also suggest a close relationship with former…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today