Light Dark
April 16, 2015 By Doron Shiloach 3 min read
X-Force

According to Gartner’s Rob McMillan, threat intelligence is defined as “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”

While this definition is fairly new, the concept of threat intelligence has been around for as long as security professionals have looked for information to help their investigations by detecting and preventing attacks such as compromised systems and data exfiltration.

From this perspective, one source of threat intelligence is the company’s internal networks. Another is the vast amount of information that exists outside that system, such as information collected by honeypots, spam traps, Web crawlers specialized for identifying malware and monitoring hacking forums.

In the past few years, threat intelligence has started to mature from a marketplace and security user perspective in terms of how to best gather, organize, share and identify sources of threat intelligence. Sharing is one of the most exciting aspects of threat intelligence, as companies recognize that collaboration is important, and standards emerge to make it easier and faster to share information. With that, threat intelligence feeds and platforms have emerged as a new market for these products and services.

Experience the brand new IBM X-Force Exchange

Threat Intelligence Sharing: The New Normal

Threat sharing isn’t new; cybercriminals have been doing it for decades without legislation. This revelation refers to the recent announcement of a new Cyber Threat Intelligence Integration Center, and unfortunately, it’s true. While this is a significant step for coordinating and sharing cyberthreats in the government space, attackers are quite comfortable sharing and exchanging information, whether on malware techniques or the latest breaches.

Now that the good guys are similarly looking at sharing as an imperative duty, we are faced with the task of identifying the means by which the industry can best enable effective collaboration. People must have access to the right type of threat intelligence for their organization that fits into their existing frameworks for social networking so they can quickly benefit from the exchange of information in ways that help their organization.

Open

The openness in threat intelligence sharing comes from the availability of the information itself and the means by which users can obtain that information.

With threat intelligence, there is both significant breadth and depth of information that is important to users. As an example of the breadth of information, the most common indicators include IP addresses, domain names, URLs, registry settings, email addresses, HTTP user agents, file hashes and file names. There is depth of information associated with each of these, such as the historical context, as well as the pivoting between them to allow for the real understanding of how they relate to each other. This can lead to insights on tactics and techniques.

Given the variety of information and its dynamic nature, as a consumer of threat intelligence, this information should be the most comprehensive, highest-fidelity and most up-to-date content possible. Aside from the information itself, there is also the platform with which users obtain and share that information, enabling collaboration in a social manner.

Social

Social networking first began to appear in 1994, when GeoCities was created. Social media has evolved significantly since then. While that site and some of the others that followed (theGlobe.com and Friendster) were not necessarily commercially successful, they all helped foster a level of comfort when interacting with other users on the Internet. Tools such as forums, user profiles, bookmarking, curation and wikis are now so second nature to us that we’ve forgotten they were once new and innovative.

The sharing of threat intelligence should also build on these tools while still adapting and extending them in new ways that can provide new capabilities, specific to the security use cases. For example, the established concepts of controlling with whom we share which pieces of information is an essential aspect of any collaborative platform. Building specific constructs for the curation and organization of information for security use cases can further extend an existing capability.

https://www.youtube.com/watch?v=xwcoUfU56N4

Actionable

The sharing of threat intelligence should ultimately lead to tactical actions that help organizations further protect their users and infrastructure. To reiterate, because the stakes are much higher with security information, it is important to have a seamlessly flowing process.

For example, providing additional context on an indicator that has been brought to a user’s attention, whether from a security tool or another user, helps the user make a decision on how to further use that information. Extending this to action naturally leads to programmatic access and application programming interface integration, which helps organizations make better and quicker decisions.

Threat intelligence has become an essential aspect of any organization’s security program. The sharing of that threat intelligence to further enhance and gain value from it will increasingly become the norm. Today, X-Force is launching a new cloud-based threat intelligence platform, IBM X-Force Exchange, to help encourage and facilitate the sharing of threat intelligence while addressing the principles of open, social and actionable sharing. Learn more by trying it out online or reading the press release.

 |  |  |  |  |  |  | 
Doron Shiloach
X-Force Product Manager, IBM

More from X-Force
April 9, 2024

Hive0051 goes all in with a triple threat

13 min read - As of April 2024, IBM X-Force is tracking new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity featuring new iterations of Gamma malware first observed in November 2023. These discoveries follow late October 2023 findings, detailing Hive0051's use of a novel multi-channel method of rapidly rotating C2 infrastructure (DNS Fluxing) to deliver new Gamma malware variants, facilitating more than a thousand infections in a single day. An examination of a sample of the lures associated with the ongoing activity reveals…

March 11, 2024

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

March 6, 2024

Why federal agencies need a mission-centered cyber response

4 min read - Cybersecurity continues to be a top focus for government agencies with new cybersecurity requirements. Threats in recent years have crossed from the digital world to the physical and even involved critical infrastructure, such as the cyberattack on SolarWinds and the Colonial Pipeline ransomware attack. According to the IBM Cost of a Data Breach 2023 Report, a breach in the public sector, which includes government agencies, is up to $2.6 million from $2.07 million in 2022. Government agencies need to move…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature