In the evolution of cybersecurity, the threat landscape is ever-changing while the line of defense is ever-shrinking. Security professionals started with securing the perimeters, but now we need to assume a breach in a zero-trust environment. However, providing intelligence to help users stay ahead of threats becomes a challenge when that information is overwhelmingly voluminous and complex.

Because intelligence providers tend to feed every piece of information to their users, many people think of threat intelligence as noise. With all the sophisticated tactics, techniques and procedures (TTPs) appearing daily, providing relevant threat intelligence is the only option to stay ahead of threats without overwhelming existing security operations.

Relevant threat intelligence sounds too good to be true, but it is possible with the proper methodology. Three phases are required to produce relevant threat intelligence: create, disseminate and infuse.

Create intelligence beyond IOCs

We need depth and breadth in cybersecurity to identify new threats. However, without organic data sources and a real-time analytic pipeline, we either become followers or fail to deliver relevant insights on time.

The creation of threat intelligence must go beyond indicators of compromise (IoCs) and threat reports to address emerging threats. For example, threat intelligence that doesn’t detect new TTPs will keep security professionals awake at night. Also, threat intelligence that doesn’t inform response playbooks is like a doctor examining patients while refusing to provide a cure. Only connected threat insights make that crucial context possible.

Disseminate connected stages of threat management

Dissemination is about creating a unified interface for accessing threat intelligence and enabling different threat management use cases. Threat intelligence must deal with heterogeneous performance requirements in threat management.

For example, security information and event management (SIEM) tools need to enrich thousands of observables per second, while security orchestration, automation and response solutions focus more on the context than the speed. In addition, enabling data pivoting and sharing security analytics are critical to connecting the stages in threat management to ensure no team stays in silos.

Infusing threat intelligence into management

Without infusing threat intelligence into threat management, providers are fortune tellers making projections based on statistical data. Unfortunately, infusing threat intelligence is usually the most challenging and confusing part of threat management. For instance, users get insights to detect command and control communications. However, they still need to spend time feeding the insights into their security solutions and tools.

If the security analysts must spend time integrating security solutions like SIEM and endpoint detection and response, they can’t focus on applying threat intelligence. Infusing intelligence will be a challenge as long as we still have data and connectivity issues in threat management. Technology like STIX Shifter solves those normalization and connectivity challenges so that analysts can focus on threat management.

Download the X-Force Threat Intelligence Index

Uncovering threat relevancy

With relevant threat intelligence, we can finally calculate threat relevancy. Figure 1 shows why traditional threat intelligence is not suitable for calculating relevancy.

In the diagram, the security context shows there are attack patterns utilizing different vulnerabilities; we can then start observing new IoCs and indicators of behavior (IoBs) on the affected assets. With traditional threat intelligence (the single gray dot), it is difficult to say anything is genuinely relevant.

Figure 1: Single Threat Insight

Consequently, threat intelligence without relevancy adds noise to threat management. For instance, if the gray node is a public Domain Name System (DNS) IP address and it is flagged as actionable because we see the same gray node in the security context, this conclusion will be chaotic in any threat management solution.

However, if the threat intelligence is connected and we preserve the context during dissemination, we can calculate the relevancy based on the patterns and time sequences, as shown in Figure 2. This is a much better way to present relevant threat intelligence with high confidence to users.

Figure 2: Connected Threat Intelligence

If threat intelligence seems too noisy or feels like stale data, now you know the root cause: a lack of creation, dissemination and infusion. Unsuitable threat intelligence, dissemination-limiting use cases, or the wrong platform for infusing threat intelligence properly can paint an incomplete picture of threats.

But what piece — creation, dissemination or infusion — is the weakest link in your organization? In other words, where does threat data become noise instead of actionable information?

If an organization is able to answer these questions, it will be better able to make cybersecurity decisions based on actual insights. Not only does usable threat intelligence protect the company, it helps make the case for future cybersecurity spending. There will be fewer instances of underestimating cyberthreats threatening an organization.

More from Threat Intelligence

IBM identifies zero-day vulnerability in Zyxel NAS devices

12 min read - While investigating CVE-2023-27992, a vulnerability affecting Zyxel network-attached storage (NAS) devices, the IBM X-Force uncovered two new flaws, which when used together, allow for pre-authenticated remote code execution. Zyxel NAS devices are typically used by consumers as cloud storage devices for homes or small to medium-sized businesses. When used together, the flaws X-Force discovered allow a remote attacker to execute arbitrary code on the device with superuser permissions and without requiring any credentials. This results in complete control over the…

Stealthy WailingCrab Malware misuses MQTT Messaging Protocol

14 min read - This article was made possible thanks to the hard work of writer Charlotte Hammond and contributions from Ole Villadsen and Kat Metrick. IBM X-Force researchers have been tracking developments to the WailingCrab malware family, in particular, those relating to its C2 communication mechanisms, which include misusing the Internet-of-Things (IoT) messaging protocol MQTT. WailingCrab, also known as WikiLoader, is a sophisticated, multi-component malware delivered almost exclusively by an initial access broker that X-Force tracks as Hive0133, which overlaps with TA544. WailingCrab…

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today