October 7, 2015 By Koen Van Impe 4 min read

The Importance of Threat Intelligence

Collecting threat intelligence data and determining how to process this data is getting more and more attention from security professionals who want to detect and quickly respond to security threats. This holds true not only for advanced persistent threats (APTs), but also for mainstream attacks.

Threat sharing provides you with information on an existing or emerging threat. This information comes with context, indicators, implications and actionable data. Defining whether or not this threat poses a danger to your environment requires you to know your organization and understand your assets, exposure, employees and business area.

Threat Sharing

So where do you get this threat data from? Your view on what is happening, even if you manage multiple environments or networks, is always limited. How do you improve this? The answer is through sharing. Threat sharing increases everyone’s knowledge of adversaries, the assets they are after and how they may try to gain access to your environment.

Fluent and efficient information sharing can only happen if we agree on a standard. STIX, TAXII and CybOX are community-driven efforts and are also a set of free specifications that help with the automated exchange of cyberthreat information. However, these are just the specifications and not the actual tools that provide a platform for sharing and enriching threat data.

Tools for Sharing Threat Data

I took a look at two tools for the sharing of threat intelligence data: MISP and IBM’s X-Force Exchange. Although both tools aim to achieve the same result — sharing data — they use different approaches to achieve that goal.

MISP, the Malware Information Sharing Platform, needs to be installed on a server in your infrastructure. You need a Web server, database and PHP support with a couple of modules. All of the data is stored on your premises and is under your control. The hardening of the server, securing the access and communication and foreseeing backups and redundancy are your responsibility. Obviously, you fully control what happens with the data.

On the other hand, IBM’s X-Force Exchange is a cloud-based platform. You need an IBM ID to get full access to the available threat data (anonymous access is also possible but with restrictive usage) and only a browser to get started; there’s no need for installing extra software. All the data is stored in the cloud, so you do not have to worry about backups or redundancy.

Data Influences Your Choice

The nature and type of data that you want to share will highly influence the type of solution you want to use — or that you are even allowed to use. For example, if you are dealing with sensitive government data, then using a cloud-based solution instead of an on-premises solution might be less preferable and maybe even forbidden by local legislation.

The distribution of threat information can be limited by the originator by using a traffic light protocol (TLP) code. This can sound counterproductive toward the claim of sharing as much information as possible, but for certain ongoing incidents, restricting distribution makes sense. You don’t want to risk that attackers can read how your investigation is progressing.

Starting with your own empty on-premises database (such as with MISP) will limit the amount of immediate accessible and actionable data. On the other hand, by participating in X-Force Exchange, users get immediate access to 700 TB of threat intelligence information on IPs, URLs, Web applications, malware and vulnerabilities.

Sharing Models

MISP

A single instance of MISP will start with an empty database. Different MISP instances can be connected to each other. This allows you to get threat information from other instances and then store that data locally, which ensures that the queries for information remain confidential and limited to your server.

MISP foresees four community sharing models:

  • Share with your organization only;
  • Share with this community only;
  • Share with connected communities; and
  • Share with all communities.

X-Force Exchange

X-Force Exchange uses the concept of collections, which are sets of information related to an investigation. Users can aggregate different observables and/or indicators in a collection and then share that with as many users as they wish. These users can either be viewers only or a combination of viewers and contributors. Collections can also be private or public.

This doesn’t completely correspond with sharing under the different TLP restrictions or with the community sharing model of MISP, but it does allow fine-grained filtering of who can access your data.

STIX

Both solutions have support for STIX. X-Force Exchange supports STIX and TAXII both via an application programming interface (API) and the Web user interface. It has the capability to import and export STIX documents into and out of a collection. MISP supports exporting data in TAXII format.

API Access for Automation

Most users will interact with these two platforms via the Web interface, but this isn’t the optimal way to integrate with your existing infrastructure.

Both solutions provide an API to overcome this problem. The API is necessary to automatically update your security devices (IDS, SIEM, etc.) with the latest available information.

X-Force Exchange

The X-Force Exchange API provides a secure, RESTful, JSON-based API that supports both public and authenticated queries. You can write your own module to access the API or use one of the projects that already exist on Github, such as goxforce, ibmxforceex.checker.py or xForce project.

MISP

MISP also has a RESTful, JSON-based API that can be used for automation and feeding your devices. There is a Python library, PyMISP, developed by CIRCL that allows easy access to the API.

Conclusion

Threat intelligence sharing is not something revolutionary, but it’s definitely something you should consider if you want to stay on top of what threats can endanger the security of your IT environment.

MISP is very strong when it comes to building a central indicators of compromise database containing both technical and nontechnical information. Meanwhile, the Web version of X-Force Exchange provides a much slicker interface for viewing trends and ongoing threat activity, giving you an immediate view on what’s happening.

The different tools available for sharing threat intelligence do not exclude each other. It’s perfectly normal to acquire both on-premises and cloud-based solutions and then choose, depending on the type of threat information you are dealing with, where to store the information.

More from Threat Intelligence

img test

7 min read - test imgWhat is Lorem Ipsum? Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages,…

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today