Threat sharing networks have been around for a long time, however they have typically been "invitation-only", available to only large companies, or those within a particular industry. The AlienVault Open Threat Exchange is different. It is one of the first (and most diverse) threat sharing networks, open to any and all who wish to join. And, free services like new ThreatFinder help make the threat data in OTX available and actionable by all. Join AlienVault VP of Product Strategy, Russ Spitler, and Systems Engineer, Tom D'Aquino for a practical session covering how to use OTX to improve network security.
Russ & Tom will cover:
How threat intelligence is gathered and vetted in the Open Threat Exchange
How to use the threat data provided by OTX free services
Examples of the types of threats you can identify with OTX
Best practices to investigate and mitigate threats, including a quick tour of AlienVault USM
3. AGENDA
• Overview of the AlienVault Open Threat Exchange (OTX)
• How threat intelligence is gathered and vetted
• How to use the threat data provided by OTX free services
• Examples of the types of threats you can identify with OTX
• Best practices to investigate and mitigate threats, including a quick
tour of AlienVault Unified Security Management (USM)
4. At the heart of OTX is the world’s
largest, crowd-sourced repository
for threat data.
WHAT IS THE OPEN THREAT EXCHANGE
• An open information sharing and
analysis network
• Provides access to real-time,
detailed information about threats
and incidents around the world
• Enables security professionals to
share threat data and benefit from
data shared by others
5. HOW DOES THE ALIENVAULT OTX WORK?
VALIDATION
ENGINE
ALIENVAULT
LABS
MALWARE
ANALYSIS
SANDBOX
EXTERNAL
FEEDS
WEB
CRAWLER
ALIENVAULT
OSSIM
USM SITES
OTX
6. CROWD-SOURCED THREAT DATA SOURCES
Validation
Engine
AlienVault
Labs
Malware
Analysis
Sandbox
External
Feeds
Web
Crawler
OSSIM
USM
OTX
• 17,000 Contributions a day
• 140+ Countries
• Threat data from
• Built-in IDS Signatures
• Normalized Event Logs
• Firewalls
• Content Filters
• IPS/IDS
• Proxies
• Network devices
• Web Servers
• Other
7. SECURITY RESEARCH COMMUNITY SHARED DATA
Validation
Engine
AlienVault
Labs
Malware
Analysis
Sandbox
External
Feeds
Web
Crawler
OSSIM
USM
OTX
• 50+ external threat sources
• IP Addresses
• Domain Names
• URLS
• Malware Samples
8. URL & MALWARE ANALYSIS
Validation
Engine
AlienVault
Labs
Malware
Analysis
Sandbox
External
Feeds
Web
Crawler
OSSIM
USM
OTX
• 500,000 samples analyzed
per day
• Analysis generates
• Threat data
• Additional samples
• URL’s
• Domain names
9. THREAT TYPES DETECTED
Scanning Host
Host observed scanning or probing remote systems
Spamming Host
Host used to propagate or distribute spam
Malware IP
Host observed propagating malware, including malicious redirection
Command and Control
Host confirmed to be sending command and control instructions to malware as part of a botnet or APT attack
Malware Domain
Host confirmed to be distributing malware or hosting exploit code
Malicious Host
Host observed participating in an activity that does not fall into the other categories (web attacks, known
exploits)
10. THREAT DATA VERIFICATION PROCESS
Scoring & Validation
Confirmation by other sources
Voting based on known abuse
patterns
Dynamic DNS
Residential Hosting Providers
Bulk Domains
Heuristic Patterns
Other
White-listing known sources of false
positives
AWS
Microsoft Update
File Sharing
Other
Expiration
Contributed data – expires after 30
days
Scanning – expires after 30 days
without additional evidence
Malware – validate ongoing hosting
Web-based threats – confirm
ongoing activity
11. OTX THREAT DATA PRODUCED
Updates provided every 30 minutes
200,000-350,000 validated malicious IP’s at any point
122.225.118.219 # Scanning Host CN,Hangzhou,30.2936000824,120.161399841
122.225.118.66 # Scanning Host CN,Hangzhou,30.2936000824,120.161399841
188.138.100.156 # Malware IP;Scanning Host DE,,51.0,9.0
211.87.176.197 # Scanning Host CN,,35.0,105.0
95.163.107.201 # Spamming RU,,60.0,100.0
188.138.110.48 # Malicious Host;Scanning Host DE,,51.0,9.0
72.167.131.220 # Malware IP US,Scottsdale,33.6119003296,-111.890602112
174.120.172.125 # Malware IP US,Houston,29.7523002625,-95.3669967651
210.148.165.67 # Malware IP JP,,36.0,138.0
75.75.253.84 # Spamming US,Henderson,36.0312004089,-115.073898315
12. OTX IN ACTION
OTX ThreatFinder
Free service to analyze log files for threats
Unified Security Management (USM)
All-in-one platform to simplify threat detection
and compliance
13. ALIENVAULT THREATFINDER – FURTHER
INVESTIGATION
1. Look at the AlienVault threat details page - what type of threat is it?
• A suspected exploit-kit serving website is more concerning than a scanning host
2. Has the activity reported stopped or is it ongoing?
3. Check the comments section and discuss your investigation with the community
4. Dig into your environment and see if you can draw any conclusions about the host affected
• Is it a workstation or server that the alert is associated with?
• If it’s a server, is there a legitimate reason that it would be communicating with the external
threat?
• If it’s a workstation, is the user reporting any unusual issues with their system?
5. If you have Intrusion Detection/Prevention System(s), search the alerts for the malicious IP
6. Query your SIEM or log management system, etc.
7. If you conduct security investigations without the help of any tools at all, you might try:
• Searching network device logs for indications of prolonged activity with the external threat
• Searching system logs for indications of suspicious activity originating from the asset
14. WHAT TO DO WHEN YOU GET A FALSE POSITIVE?
Within AlienVault: FLAG IP FOR REVIEW
Provide any evidence of a false
positive that you can. It will be
sent to the security research team
for review.
15. NOW FOR SOME Q&A…
Join OTX
Free ThreatFinder
http://www.alienvault.com/open-threat-exchange/threatfinder
Free Reputation Monitor
http://www.alienvault.com/open-threat-exchange/reputation-monitor
Test Drive AlienVault USM
Download a Free 30-Day Trial
http://www.alienvault.com/free-trial
Try our Interactive Demo Site
http://www.alienvault.com/live-demo-site