Full disclosure: I would not eat guacamole for years because a certain puppet-centric movie I saw as a child had me convinced that it was actually made of frog brains. Once in college, however, seeing guacamole being made completely changed my opinion — unlike a sausage-making demonstration in a rather unfortunate public speaking class that same year of college.
The creamy avocado combined with the brightness of lime juice and the right balance of fresh tomato and onion amounts to perfection. Like guacamole, a security solution needs a perfectly balanced combination of ingredients to maximize the value of the threat intelligence it processes.
But before going down this analogical path, let’s review the key tenet of useful threat intelligence: It must be actionable. That means the right intelligence at the right time.
Timing Is Everything
Anyone familiar with avocados knows the timing has to be perfect to yield delicious guacamole. The same goes for threat intelligence. If served too soon, both the avocado and threat intelligence are difficult to penetrate and don’t add anything. The right threat intelligence at the wrong time is almost entirely useless. Placing your threat intelligence in a metaphorical brown paper bag with an apple overnight does nothing to help it ripen, either.
At the other end of the spectrum, an overripe avocado served too late is mushy and meaningless. Similarly, threat intelligence that could have been helpful but is received after, or even during, a breach is infuriatingly inadequate. The right time frame for a ripe avocado is two to three days, but that window is even shorter for threat intelligence. Minutes matter when it comes to identifying malicious IP addresses attempting to connect with your network, rogue web applications and malicious files.
Too Much of a Good Thing
We’ve talked before about the signal-to-noise ratio of threat intelligence and how important it is to find and use the right threat intelligence. Likewise, a plethora of avocados that ripen simultaneously is unhelpful, unless you are planning a massive party to help eat all that guacamole.
Security operations center (SOC) analysts and security practitioners need data to make better decisions, but relevant threat intelligence is even more crucial. Otherwise, alerts, notifications and log events just become noise and are ignored. A well-tuned security intelligence solution can help prioritize and bring together different data sources to create meaningful alerts that correlate to known indicators of compromise (IoCs).
Thwarting WannaCry With Threat Intelligence
I could make a really pithy WannaCry and onion association here, but I think I’ve tortured you enough with the avocado and threat intelligence analogy, so let’s skip to the main point.
When WannaCry hit, the research team at IBM X-Force kept a public collection of IoCs and insights updated as new information came to light. It was an excellent source of actionable IP addresses, MD5 checksum hashes and even security product coverage for this ransomware campaign. By taking advantage of collaborative threat intelligence applications and STIX over TAXII protocols, analysts were able to import this public collection into a variety of security information and event management (SIEM) tools to protect their own networks.
The powerful correlation and prioritization capabilities of a threat intelligence app make it easy to identify threats in light of the massive amounts of data being fed into the SIEM, particularly if you aim to improve your ability to make security decisions with context from external threat intelligence.
If you’re an existing QRadar user, I highly recommend checking out the threat intelligence app to take advantage of the corpus of information from X-Force Exchange. QRadar’s powerful correlation and prioritization capabilities make easy work of identifying threats in light of the massive amounts of data being fed into the SIEM. If you’re not a QRadar user but still want to take advantage of the wide range of threat intelligence available from X-Force Exchange, you can sign up for a free 30-day trial of the X-Force Exchange Commercial API to try it yourself.