In the evolution of cybersecurity, the threat landscape is ever-changing while the line of defense is ever-shrinking. Security professionals started with securing the perimeters, but now we need to assume a breach in a zero-trust environment. However, providing intelligence to help users stay ahead of threats becomes a challenge when that information is overwhelmingly voluminous and complex.

Because intelligence providers tend to feed every piece of information to their users, many people think of threat intelligence as noise. With all the sophisticated tactics, techniques and procedures (TTPs) appearing daily, providing relevant threat intelligence is the only option to stay ahead of threats without overwhelming existing security operations.

Relevant threat intelligence sounds too good to be true, but it is possible with the proper methodology. Three phases are required to produce relevant threat intelligence: create, disseminate and infuse.

Create intelligence beyond IOCs

We need depth and breadth in cybersecurity to identify new threats. However, without organic data sources and a real-time analytic pipeline, we either become followers or fail to deliver relevant insights on time.

The creation of threat intelligence must go beyond indicators of compromise (IoCs) and threat reports to address emerging threats. For example, threat intelligence that doesn’t detect new TTPs will keep security professionals awake at night. Also, threat intelligence that doesn’t inform response playbooks is like a doctor examining patients while refusing to provide a cure. Only connected threat insights make that crucial context possible.

Disseminate connected stages of threat management

Dissemination is about creating a unified interface for accessing threat intelligence and enabling different threat management use cases. Threat intelligence must deal with heterogeneous performance requirements in threat management.

For example, security information and event management (SIEM) tools need to enrich thousands of observables per second, while security orchestration, automation and response solutions focus more on the context than the speed. In addition, enabling data pivoting and sharing security analytics are critical to connecting the stages in threat management to ensure no team stays in silos.

Infusing threat intelligence into management

Without infusing threat intelligence into threat management, providers are fortune tellers making projections based on statistical data. Unfortunately, infusing threat intelligence is usually the most challenging and confusing part of threat management. For instance, users get insights to detect command and control communications. However, they still need to spend time feeding the insights into their security solutions and tools.

If the security analysts must spend time integrating security solutions like SIEM and endpoint detection and response, they can’t focus on applying threat intelligence. Infusing intelligence will be a challenge as long as we still have data and connectivity issues in threat management. Technology like STIX Shifter solves those normalization and connectivity challenges so that analysts can focus on threat management.

Download the X-Force Threat Intelligence Index

Uncovering threat relevancy

With relevant threat intelligence, we can finally calculate threat relevancy. Figure 1 shows why traditional threat intelligence is not suitable for calculating relevancy.

In the diagram, the security context shows there are attack patterns utilizing different vulnerabilities; we can then start observing new IoCs and indicators of behavior (IoBs) on the affected assets. With traditional threat intelligence (the single gray dot), it is difficult to say anything is genuinely relevant.

Figure 1: Single Threat Insight

Consequently, threat intelligence without relevancy adds noise to threat management. For instance, if the gray node is a public Domain Name System (DNS) IP address and it is flagged as actionable because we see the same gray node in the security context, this conclusion will be chaotic in any threat management solution.

However, if the threat intelligence is connected and we preserve the context during dissemination, we can calculate the relevancy based on the patterns and time sequences, as shown in Figure 2. This is a much better way to present relevant threat intelligence with high confidence to users.

Figure 2: Connected Threat Intelligence

If threat intelligence seems too noisy or feels like stale data, now you know the root cause: a lack of creation, dissemination and infusion. Unsuitable threat intelligence, dissemination-limiting use cases, or the wrong platform for infusing threat intelligence properly can paint an incomplete picture of threats.

But what piece — creation, dissemination or infusion — is the weakest link in your organization? In other words, where does threat data become noise instead of actionable information?

If an organization is able to answer these questions, it will be better able to make cybersecurity decisions based on actual insights. Not only does usable threat intelligence protect the company, it helps make the case for future cybersecurity spending. There will be fewer instances of underestimating cyberthreats threatening an organization.

More from Threat Intelligence

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Hive0137 and AI-supplemented malware distribution

12 min read - IBM X-Force tracks dozens of threat actor groups. One group in particular, tracked by X-Force as Hive0137, has been a highly active malware distributor since at least October 2023. Nominated by X-Force as having the “Most Complex Infection Chain” in a campaign in 2023, Hive0137 campaigns deliver DarkGate, NetSupport, T34-Loader and Pikabot malware payloads, some of which are likely used for initial access in ransomware attacks. The crypters used in the infection chains also suggest a close relationship with former…

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today