Gain Actionable Threat Intelligence Utilizing DFLabs SOAR and IBM X-Force Exchange

Back to all articles

actionable threat intelligence

Threats are constantly evolving, and new threats emerge daily. Minimizing risk and the cost associated with security incidents means making rapid decisions based on the up-to-date and accurate information. Actionable threat intelligence can play a critical role in a proactive security program, as well as conducting efficient and effective incident response. Making incident response decisions based on incomplete or inaccurate intelligence can result in an incomplete or delayed response, residual risk and increased loss due to downtime, response cost, and fines.

Many security programs today experience challenges around gaining actionable and accurate threat intelligence and are looking for solutions to overcome these two key problems:

  • How can I enrich incident indicators with actionable threat intelligence to make more informed decisions during the incident response process?
  • How can I proactively gather threat intelligence data to ensure that my security team stays up to date on the latest threats and ongoing trends?

In this blog, we will briefly discuss how a security program can automate the collection of actionable threat intelligence from IBM experts utilizing IBM X-Force Exchange with its integration with DFLabs.

The DFLabs and IBM X-Force Exchange Solution

IBM X-Force Exchange is a cloud-based threat intelligence platform that allows security teams to consume, share and act on threat intelligence. It enables analysts to rapidly research the latest global security threats, aggregate actionable intelligence, consult with experts and collaborate with peers. IBM X-Force Exchange, supported by human- and machine-generated intelligence, leverages the scale of IBM X-Force to help users stay ahead of emerging threats.

DFLabs IncMan SOAR platform and IBM X-Force Exchange bring actionable threat intelligence sourced from the experts at IBM as well as industry peers, together with the automation and orchestration power of IncMan to deliver industry-leading incident response capabilities. Together, these solutions allow joint customers to make better, more informed automated and manual decisions, reducing the risk posed by security incidents.

Enriching incident indicators with actionable threat intelligence enable enterprises to reduce incident resolution times, maximize security analyst efficiency, as well as increase the number of handled incidents.

Use Case in Action

An alert based on an internal host communicating with a potentially malicious URL has automatically generated an Incident within IncMan. This alert is automatically categorized as a Malicious Communication incident within IncMan based on the organizations' policies, which initiates the organization’s Malicious Communication runbook, shown below:

actionable threat intelligence 1

This runbook begins by utilizing several IBM X-Force Exchange integration actions to enrich the alert information, in this case, the potentially malicious domain. First, a WHOIS lookup of the domain is performed using IBM X-Force Exchange. Next, any threat intelligence regarding this URL is retrieved from IBM X-Force Exchange using the URL Reputation action.

After gathering intelligence on the initially reported URL, the runbook pivots outward and performs a DNS record search through IBM X-Force Exchange. For each DNS record returned, the runbook performs a WHOIS lookup on the IP address, followed by a threat intelligence search on the IP address through IBM X-Force Exchange.

Once all available threat intelligence has been retrieved from IBM X-Force Exchange, the runbook reaches an automated decision point. In this case, the runbook examines the threat intelligence for any threat score meeting a certain threshold. If this threshold is met, IncMan will automatically send a notification to the security team, then automatically update the incident type to that of a confirmed security incident. Following this notification and incident update, the security analyst will be prompted to determine whether or not automated containment actions are appropriate.

In Summary

Actionable threat intelligence can play a critical role in a proactive security program, as well as conducting efficient and effective incident response.

By using DFLabs IncMan R3 Rapid Response Runbooks to automate the collection of actionable threat intelligence from the experts at IBM, as well as industry peers through the IBM X-Force Exchange, security teams can enrich indicators and gather additional intelligence to make faster, more informed decisions when the time is of the essence.

If you would like to see a more in-depth demo of this use case in action, or other use cases within IncMan, please get in touch.

Related Articles

John Moran / 23 Oct 2018

Using Threat Intelligence Effectively in Security Automation and Orchestration with DFLabs and Cisco Security

Security teams often rely on threat intelligence during both the triage and investigation stages of an event. Learn more about using threat intelligence effectively in security automation and orchestration utilizing Cisco's security suite with DFLabs.

Read blog

Heather Hixon / 13 Nov 2018

Simplifying Intelligence Gathering with Recorded Future and DFLabs

DFLabs integration with Recorded Future enables automated information gathering from one of the industry’s leading intelligence solutions to provide investigators with crucial details and context surrounding a potential incident.

Read blog

John Moran / 23 Aug 2018

Sharing Critical Security Information Using DFLabs SOAR and McAfee OpenDXL

Sharing critical security information is now possible with DFLabs and McAfee OpenDXL. Learn more about the details of this integration in our new post.

Read blog

Heather Hixon / 27 Sep 2018

How to Score a High IQ when Implementing Threat Intelligence

Read blog

John Moran / 2 Oct 2018

Automate Evidence Gathering and Threat Containment by Orchestrating Response Efforts with Carbon Black Defense

The integration between DFLabs’ IncMan SOAR platform and Carbon Black Defense’s antivirus and EDR solution allows companies to automate evidence gathering and threat containment efforts.

Read blog

John Moran / 29 Nov 2018

Automate Advanced Dynamic Malware Analysis with Cuckoo Sandbox and DFLabs

Read blog

John Moran / 16 Oct 2018

Add Context and Enrich Alert Information for a More Effective Response with DFLabs and ArcSight

In this blog post we’ll take a closer look at how security teams can increase the efficiency and effectiveness of their response by adding context and enrichment to the security alert information directly from ArcSight, when utilizing DFLabs’ SOAR solution.

Read blog

John Moran / 14 Aug 2018

Automate Actionable Network Intelligence with Tufin and DFLabs SOAR Platform

Learn more about the current challenges faced by security operations teams and how they can harness vast amounts of network intelligence available.

Read blog

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request Your Live IncMan SOAR Demo.

DFLabs IncMan SOAR is the pioneering Security Orchestration, Automation and Response (SOAR) platform to automate, orchestrate and measure security operations tasks.

IncMan SOAR harnesses machine learning and automation capabilities to augment human analysts to maximize the effectiveness and efficiency of security operations teams, reducing the time from breach discovery to resolution by up to 80%.

What You'll See in a Demo

See for yourself why IncMan SOAR is the preferred solution of Fortune 500, Global 2000 and MSSP clients. DFLabs IncMan SOAR at a glance:

  • Full and semi-automated Incident Response, improving response times by up to 80%
  • Covers the entire spectrum of IR and SecOps
  • Automated Responder Knowledge (ARK) generated by machine learning
  • Highly flexible and customizable, with over 100 templates and automation actions out of the box
  • Correlation engine correlates all relevant IOCs and artefacts between incidents
  • Multi-tenancy and granular role-based access
  • Dual mode playbooks and intelligence sharing
  • Powerful case management with integrated forensics capabilities.

Yes, I want a demo

DFLabs would like to stay in touch to provide you with marketing related content. By ticking the box you consent to receive educational, company and promotional information from DFLabs and accept DFLabs' Privacy Policy.

* Required fields