FAQ

Threat intelligence is a compilation of threat information that is gathered across external sources and used to prevent and mitigate cyberattacks. Threat data is organized, refined and augmented to make it actionable and to allow your cybersecurity team to understand threats and the actors behind them.
The X-Force® Threat Intelligence team delivers global threat intel applied to your security operations with detection and response content. We help streamline workflow, orchestration and applications that drive enrichment, collaboration, visualization and advanced analytics, providing:

• Direct access to the latest threat intel from our engagements
• High quality, prioritized, actionable intelligence for detection and response

Threat intelligence empowers cybersecurity teams to proactively defend against and rapidly respond to threats attacking their organization by helping them identify and understand their adversary, create a response plan and allocate resources strategically. Cybersecurity teams can use threat intelligence to block attacks in real time and mitigate the risk of attackers affecting their brand and reputation.

Threat intelligence is purposely built by industry experts from a wide range of backgrounds, including former government intelligence analysts, SOC analysts and private industry consultants. The team’s founding principles include strict analytic rigor, correct analysis and reproducible assessments. 

X-Force Threat Intelligence uses industry best practice frameworks such as:

• Diamond Model Intrusion Analysis 
• Lockheed Martin Cyber Kill Chain
• MITRE ATT&CK  
   

Threat intelligence is valuable to different members across the security operations center (SOC), from real-time blocking for tier 1 analysts, aiding investigation and threat hunting for more experienced analysts, to helping SOC leaders make strategic decisions.

There are 5 types of premium reports published as premium content in the X-Force® Exchange platform:

• Threat Activity reports provide real-time updates about discovered activity, whether from incident response investigation, IBM telemetry, open sources or other forms of collection. Security analysts can gain an immediate understanding of what X-Force knows about the attack lifecycle while executives get a quick understanding of the latest threats in their industry.
• Early Warning Research reports provide a security analyst with early warning on malicious domains that are surfaced through X-Force's partnership with Quad9. The research provides access to threats, malicious domains, DNS activity and volumetrics to identify abnormal spikes in activity. 
• Malware Analysis reports provide a security analyst with an in-depth description of how the malware functions, indicators of compromise, payloads, mutexes and processes. The analyst can use the information to hunt on their network or pivot to other relevant information about the threat groups who use the malware, other similar tools, and behaviors to detect on their networks.
• Threat Group profiles provide a security analyst with the latest information about cyber threat groups, including their typical targets, history, TTPs (tactics, techniques and procedures), common attack vectors, top malware and where the threat group might be targeting next.
• An Industry Analysis report provides executives with a baseline of threats to their industry and the future landscape so they can assess risks and assign resources based on what’s being observed, including relevant malware, threat groups and threat activity. 
   

The Domain Name System (DNS) is the protocol that translates user-friendly domain names that people can remember to computer-friendly IP addresses.

Quad9, a partnership between IBM, Packet Clearing House and Global Cyber Alliance, is a recursive DNS platform that blocks against malicious domains to prevent your computers and IoT devices from connecting to malware or phishing sites.

IBM Security® X-Force® Research is a group of experts with the skills, expertise and insight to help your company transform your incident response and intelligence capabilities. We look across cybersecurity threat research on vulnerabilities, threat actors, malware and more, including data from recent industry reports and intel from the experts at IBM Security X-Force.

The X-Force Threat Intelligence portfolio supports 5 product offerings: 

• IBM Security® QRadar® XDR Connect on Cloud Pak® for Security
• X-Force Exchange (XFE): research portal
• X-Force Exchange Commercial API (C-API): research portal API
• Advanced Threat Protection Feed (ATPF): detection feed API
• QRadar® Threat Intelligence app (TI app): QRadar add on

Each offering provides continuous threat intelligence in the form of machine generated or human generated intelligence and serves distinct use cases depending on customer needs.
 

Each year, IBM Security X-Force—our in-house team of cybersecurity experts and remediators—mines billions of data points to expose today’s most urgent security statistics and trends.
IBM Security’s latest research is published in the annual X-Force Threat Intelligence Index, a comprehensive overview of the global threat landscape based on data collected throughout the previous year. 
 

The X-Force Exchange provides a combination of observable indicators including vulnerabilities, malware, malware families, IP reputation, URL reputation, web applications, pDNS, WHOIS information, malicious domains, and higher-order intelligence such as actors, campaigns, incidents and TTPs. X-Force Threat Intelligence provides curated analysis of threats, groups, malware and industries.

X-Force Threat Intelligence data is sourced from IBM-developed infrastructure and databases, open-source intelligence, commercial sources, the deep web, and partnerships with third-party sources. 

The IBM X-Force Exchange Commercial API provides programmatic access to external threat intelligence to help contextualize security events. As a companion offering to the IBM X-Force Exchange collaborative platform, this API uses open standards to help speed time to action.

IBM X-Force threat intelligence can be integrated into existing security solutions by using a RESTful API, including STIX over TAXII protocols to incorporate structured and unstructured data.

The Early Warning Feed is designed to help you stay ahead of threats with timely and actionable information on malicious domains, including deep-dive lifecycles on these domains and volumetric data on their activity.

The Early Warning Feed is designed for security professionals looking to identify malicious domains as early as possible and to protect their organization from attacks that primarily exploit the domain name service (DNS), such as phishing, domain generation algorithms (DGA), tunneling and squatting.

The Advanced Threat Protection Feed is a machine-readable threat intelligence feed that integrates with security tools such as firewalls, intrusion prevention systems and SIEMs. It provides you with programmatic access to actionable indicators categorized by our X-Force team.

The Advanced Threat Protection Feed includes actionable indicators from threat categories such as C2 servers, bots, malware sources, phishing domains, anonymization services, scanning IPs, cryptocurrency miners, X-Force curated indicators, and a block list of high frequency and benign endpoints.

An indicator is classified as actionable when it is associated with a specific threat category and an actionable score (>=5.0). X-Force’s actionable threat intelligence exhibits a 99.97% detection rate, accompanied by a 0.003% false positive rate (as tested by external parties).

The Advanced Threat Protection Feed delivers machine readable lists of actionable indicators that can be consumed directly by your security tools. The Commercial API provides a research platform for exploring all indicators, reports and advisories from the X-Force Exchange.