Full disclosure: I would not eat guacamole for years because a certain puppet-centric movie I saw as a child had me convinced that it was actually made of frog brains. Once in college, however, seeing guacamole being made completely changed my opinion — unlike a sausage-making demonstration in a rather unfortunate public speaking class that same year of college.

The creamy avocado combined with the brightness of lime juice and the right balance of fresh tomato and onion amounts to perfection. Like guacamole, a security solution needs a perfectly balanced combination of ingredients to maximize the value of the threat intelligence it processes.

But before going down this analogical path, let’s review the key tenet of useful threat intelligence: It must be actionable. That means the right intelligence at the right time.

Timing Is Everything

Anyone familiar with avocados knows the timing has to be perfect to yield delicious guacamole. The same goes for threat intelligence. If served too soon, both the avocado and threat intelligence are difficult to penetrate and don’t add anything. The right threat intelligence at the wrong time is almost entirely useless. Placing your threat intelligence in a metaphorical brown paper bag with an apple overnight does nothing to help it ripen, either.

At the other end of the spectrum, an overripe avocado served too late is mushy and meaningless. Similarly, threat intelligence that could have been helpful but is received after, or even during, a breach is infuriatingly inadequate. The right time frame for a ripe avocado is two to three days, but that window is even shorter for threat intelligence. Minutes matter when it comes to identifying malicious IP addresses attempting to connect with your network, rogue web applications and malicious files.

Too Much of a Good Thing

We’ve talked before about the signal-to-noise ratio of threat intelligence and how important it is to find and use the right threat intelligence. Likewise, a plethora of avocados that ripen simultaneously is unhelpful, unless you are planning a massive party to help eat all that guacamole.

Security operations center (SOC) analysts and security practitioners need data to make better decisions, but relevant threat intelligence is even more crucial. Otherwise, alerts, notifications and log events just become noise and are ignored. A well-tuned security intelligence solution can help prioritize and bring together different data sources to create meaningful alerts that correlate to known indicators of compromise (IoCs).

Thwarting WannaCry With Threat Intelligence

I could make a really pithy WannaCry and onion association here, but I think I’ve tortured you enough with the avocado and threat intelligence analogy, so let’s skip to the main point.

When WannaCry hit, the research team at IBM X-Force kept a public collection of IoCs and insights updated as new information came to light. It was an excellent source of actionable IP addresses, MD5 checksum hashes and even security product coverage for this ransomware campaign. By taking advantage of collaborative threat intelligence applications and STIX over TAXII protocols, analysts were able to import this public collection into a variety of security information and event management (SIEM) tools to protect their own networks.

The powerful correlation and prioritization capabilities of a threat intelligence app make it easy to identify threats in light of the massive amounts of data being fed into the SIEM, particularly if you aim to improve your ability to make security decisions with context from external threat intelligence.

If you’re an existing QRadar user, I highly recommend checking out the threat intelligence app to take advantage of the corpus of information from X-Force Exchange.  QRadar’s powerful correlation and prioritization capabilities make easy work of identifying threats in light of the massive amounts of data being fed into the SIEM. If you’re not a QRadar user but still want to take advantage of the wide range of threat intelligence available from X-Force Exchange, you can sign up for a free 30-day trial of the X-Force Exchange Commercial API to try it yourself.

Try the QRadar Threat Intelligence App

More from Threat Intelligence

Widespread exploitation of recently disclosed Ivanti vulnerabilities

6 min read - IBM X-Force has assisted several organizations in responding to successful compromises involving the Ivanti appliance vulnerabilities disclosed in January 2024. Analysis of these incidents has identified several Ivanti file modifications that align with current public reporting. Additionally, IBM researchers have observed specific attack techniques involving the theft of authentication token data not readily noted in current public sources. The blog details the results of this research to assist organizations in protecting against these threats. Key Findings: IBM research teams have…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Audio-jacking: Using generative AI to distort live audio transactions

7 min read - The rise of generative AI, including text-to-image, text-to-speech and large language models (LLMs), has significantly changed our work and personal lives. While these advancements offer many benefits, they have also presented new challenges and risks. Specifically, there has been an increase in threat actors who attempt to exploit large language models to create phishing emails and use generative AI, like fake voices, to scam people. We recently published research showcasing how adversaries could hypnotize LLMs to serve nefarious purposes simply…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today