Full disclosure: I would not eat guacamole for years because a certain puppet-centric movie I saw as a child had me convinced that it was actually made of frog brains. Once in college, however, seeing guacamole being made completely changed my opinion — unlike a sausage-making demonstration in a rather unfortunate public speaking class that same year of college.

The creamy avocado combined with the brightness of lime juice and the right balance of fresh tomato and onion amounts to perfection. Like guacamole, a security solution needs a perfectly balanced combination of ingredients to maximize the value of the threat intelligence it processes.

But before going down this analogical path, let’s review the key tenet of useful threat intelligence: It must be actionable. That means the right intelligence at the right time.

Timing Is Everything

Anyone familiar with avocados knows the timing has to be perfect to yield delicious guacamole. The same goes for threat intelligence. If served too soon, both the avocado and threat intelligence are difficult to penetrate and don’t add anything. The right threat intelligence at the wrong time is almost entirely useless. Placing your threat intelligence in a metaphorical brown paper bag with an apple overnight does nothing to help it ripen, either.

At the other end of the spectrum, an overripe avocado served too late is mushy and meaningless. Similarly, threat intelligence that could have been helpful but is received after, or even during, a breach is infuriatingly inadequate. The right time frame for a ripe avocado is two to three days, but that window is even shorter for threat intelligence. Minutes matter when it comes to identifying malicious IP addresses attempting to connect with your network, rogue web applications and malicious files.

Too Much of a Good Thing

We’ve talked before about the signal-to-noise ratio of threat intelligence and how important it is to find and use the right threat intelligence. Likewise, a plethora of avocados that ripen simultaneously is unhelpful, unless you are planning a massive party to help eat all that guacamole.

Security operations center (SOC) analysts and security practitioners need data to make better decisions, but relevant threat intelligence is even more crucial. Otherwise, alerts, notifications and log events just become noise and are ignored. A well-tuned security intelligence solution can help prioritize and bring together different data sources to create meaningful alerts that correlate to known indicators of compromise (IoCs).

Thwarting WannaCry With Threat Intelligence

I could make a really pithy WannaCry and onion association here, but I think I’ve tortured you enough with the avocado and threat intelligence analogy, so let’s skip to the main point.

When WannaCry hit, the research team at IBM X-Force kept a public collection of IoCs and insights updated as new information came to light. It was an excellent source of actionable IP addresses, MD5 checksum hashes and even security product coverage for this ransomware campaign. By taking advantage of collaborative threat intelligence applications and STIX over TAXII protocols, analysts were able to import this public collection into a variety of security information and event management (SIEM) tools to protect their own networks.

The powerful correlation and prioritization capabilities of a threat intelligence app make it easy to identify threats in light of the massive amounts of data being fed into the SIEM, particularly if you aim to improve your ability to make security decisions with context from external threat intelligence.

If you’re an existing QRadar user, I highly recommend checking out the threat intelligence app to take advantage of the corpus of information from X-Force Exchange.  QRadar’s powerful correlation and prioritization capabilities make easy work of identifying threats in light of the massive amounts of data being fed into the SIEM. If you’re not a QRadar user but still want to take advantage of the wide range of threat intelligence available from X-Force Exchange, you can sign up for a free 30-day trial of the X-Force Exchange Commercial API to try it yourself.

Try the QRadar Threat Intelligence App

More from Threat Intelligence

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Hive0137 and AI-supplemented malware distribution

12 min read - IBM X-Force tracks dozens of threat actor groups. One group in particular, tracked by X-Force as Hive0137, has been a highly active malware distributor since at least October 2023. Nominated by X-Force as having the “Most Complex Infection Chain” in a campaign in 2023, Hive0137 campaigns deliver DarkGate, NetSupport, T34-Loader and Pikabot malware payloads, some of which are likely used for initial access in ransomware attacks. The crypters used in the infection chains also suggest a close relationship with former…

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today