The IBM X-Force Exchange (XFE) grew out of the old Internet Security Systems, one of the pioneers in information security lore. Today, the X-Force Exchange is a repository for IBM Security intelligence, both collected and in near real-time. It has the interesting feature of allowing users to create their own collections of indicators as well as accessing other collections. It does this by timelines, blogs and public collections.
The tool can be searched by application, IP, URL, vulnerability or hash value. It tracks trending indicators and monitors current threat activity which it displays as a rolling ribbon on its landing page. The timeline covers indicators and includes the ability for users to comment. Clicking on an indicator in the timeline takes users to the X-Force report and associated comments.
Overall, we didn't see a lot here that isn't available on a host of other products. Nonetheless, it's an interesting resource and we have known it to have information that no other resource has. To that end, we deem it a valuable tool.
Exchange has two dashboards: the classic dashboard and the "new" dashboard. We prefer the new dashboard because it is far easier to navigate and has a lot more information than the classic. Expanding a collection gives access to the elements of the collection which can be referred to or downloaded in STIX format.
In addition to its own dataset, XFE has implemented a threat feed manager that controls partnerships with third-party intelligence source, including BotScout, PhishTank, VirusTotal, RiskIQ, Reversing Labs and Recorded Future. These alliances expand greatly the XFE universe of resources. Unfortunately, these really are more the price of admission than they are differentiators. What makes the difference in XFE is IBM's own repository and its own monitoring across the overall internet.
Given that, according to IBM, 2.5 quintillion bytes of data are created every day. However, the magic - assuming pervasive data collection - is in the analysis, visualization and getting all of that data down to a manageable load for cyberthreat intelligence analysts. Analysis appears at first to be pretty plain vanilla. The usual whois data shows up for IPs and URLs and hashes are there for malware. However, when you drill down the picture improves considerably.
We selected the TrickBot over time public collection and were quite pleased to see the level of XFE analyst input. There was a complete history of the TrickBot campaign - both then and now - and a good collection of IoCs. There was a graphic that traced the history of the campaign along with a lot of detail on the individual malwares and URLs. We would have to say that under the plain vanilla wrapper one is likely to find nuggets of real meat.
Unlike most other cyberthreat intelligence tools, XFE includes vulnerabilities. For example, a cross-site-scripting vulnerability in the AContent CMS was added on December 31. The details are a bit thin but the vulnerability is covered and it references CVSS 3.0.
Another feature that we liked is the Groups feature. Users can create or join a group and query that existing group's collections. We found that while there are several groups - some of which sound quite interesting - there are almost no collections in those groups. Likewise, there tend to be very few members (with a couple of exceptions, of course) suggesting that the group concept has not taken off yet. We found that surprising since the trend across open source intel tools is community-sharing.
XFE also is a distribution point for X-Force advisories. We picked an advisory on the GozNym malware and found the description complete and useful. However, we would have liked to have had more information about the included malwares as represented by its hashes. We went to several other resources and found that there was ample information about the individual samples. However, much of it was conflicting.
But, when we selected a collection of botnet command-and-control servers, the results were markedly better. In this one - besides an excellent collection with a lot of useful detail - there was a pair of linked collections, one for the Mirai network and another command-and-control botnet collection. The C2 collection was disappointing, having no reports attached, but the Mirai was quite comprehensive in the collection of malware and IPs that it contained.
Overall, while XFE is a good concept and there is a long history of significant expertise at play, we believe that it has a way to go. We are not sure why it has not taken off, given that IBM sponsors it, but it may be that its overall user-friendliness is a bit lacking. That said, we certainly did not find it onerous and it may also be that this is one of those tools maintained largely by its owner and used for reference by the community rather than experiencing a lot of community contribution.
Product IBM X-Force Exchange
Company IBM Security
Price $0.00 for on-platform queries, $0.00 for API access up to 5,000 records per month. For API usage over 5,000 record monthly limit, pricing is $2,000 per 10,000 records per month for a commercial API subscription.
What it does Cloud-based threat intelligence resource.
What we liked The strong resources of the IBM X-Force behind the intelligence collections and the near real-time monitoring of a huge body of data points around the world.