Gain Actionable Threat Intelligence Utilizing DFLabs SOAR and IBM X-Force Exchange

Posted byJohn Moran - 12th Jul 2018

Threats are constantly evolving, and new threats emerge daily. Minimizing risk and the cost associated with security incidents means making rapid decisions based on the up-to-date and accurate information. Actionable threat intelligence can play a critical role in a proactive security program, as well as conducting efficient and effective incident response. Making incident response decisions based on incomplete or inaccurate intelligence can result in an incomplete or delayed response, residual risk and increased loss due to downtime, response cost, and fines.

Many security programs today experience challenges around gaining actionable and accurate threat intelligence and are looking for solutions to overcome these two key problems:

  • How can I enrich incident indicators with actionable threat intelligence to make more informed decisions during the incident response process?
  • How can I proactively gather threat intelligence data to ensure that my security team stays up to date on the latest threats and ongoing trends?

In this blog, we will briefly discuss how a security program can automate the collection of actionable threat intelligence from IBM experts utilizing IBM X-Force Exchange with its integration with DFLabs.

The DFLabs and IBM X-Force Exchange Solution

IBM X-Force Exchange is a cloud-based threat intelligence platform that allows security teams to consume, share and act on threat intelligence. It enables analysts to rapidly research the latest global security threats, aggregate actionable intelligence, consult with experts and collaborate with peers. IBM X-Force Exchange, supported by human- and machine-generated intelligence, leverages the scale of IBM X-Force to help users stay ahead of emerging threats.

DFLabs IncMan SOAR platform and IBM X-Force Exchange bring actionable threat intelligence sourced from the experts at IBM as well as industry peers, together with the automation and orchestration power of IncMan to deliver industry-leading incident response capabilities. Together, these solutions allow joint customers to make better, more informed automated and manual decisions, reducing the risk posed by security incidents.

Enriching incident indicators with actionable threat intelligence enable enterprises to reduce incident resolution times, maximize security analyst efficiency, as well as increase the number of handled incidents.

Use Case in Action

An alert based on an internal host communicating with a potentially malicious URL has automatically generated an Incident within IncMan. This alert is automatically categorized as a Malicious Communication incident within IncMan based on the organizations’ policies, which initiates the organization’s Malicious Communication runbook, shown below:

 

This runbook begins by utilizing several IBM X-Force Exchange integration actions to enrich the alert information, in this case, the potentially malicious domain. First, a WHOIS lookup of the domain is performed using IBM X-Force Exchange. Next, any threat intelligence regarding this URL is retrieved from IBM X-Force Exchange using the URL Reputation action.

After gathering intelligence on the initially reported URL, the runbook pivots outward and performs a DNS record search through IBM X-Force Exchange. For each DNS record returned, the runbook performs a WHOIS lookup on the IP address, followed by a threat intelligence search on the IP address through IBM X-Force Exchange.

Once all available threat intelligence has been retrieved from IBM X-Force Exchange, the runbook reaches an automated decision point. In this case, the runbook examines the threat intelligence for any threat score meeting a certain threshold. If this threshold is met, IncMan will automatically send a notification to the security team, then automatically update the incident type to that of a confirmed security incident. Following this notification and incident update, the security analyst will be prompted to determine whether or not automated containment actions are appropriate.

In Summary

Actionable threat intelligence can play a critical role in a proactive security program, as well as conducting efficient and effective incident response.

By using DFLabs IncMan R3 Rapid Response Runbooks to automate the collection of actionable threat intelligence from the experts at IBM, as well as industry peers through the IBM X-Force Exchange, security teams can enrich indicators and gather additional intelligence to make faster, more informed decisions when the time is of the essence.

If you would like to see a more in-depth demo of this use case in action, or other use cases within IncMan, please get in touch.