2

INTRODUCTIONS

Tom D’AquinoDirector, Technical Sales

AlienVault

Russ SpitlerVP of Product Strategy

AlienVault

AGENDA

• Overview of the AlienVault Open Threat Exchange (OTX)

• How threat intelligence is gathered and vetted

• How to use the threat data provided by OTX free services

• Examples of the types of threats you can identify with OTX

• Best practices to investigate and mitigate threats, including a quick tour of AlienVault Unified Security Management (USM)

At the heart of OTX is the world’s largest, crowd-sourced repository

for threat data.

WHAT IS THE OPEN THREAT EXCHANGE

• An open information sharing and analysis network

• Provides access to real-time, detailed information about threats and incidents around the world

• Enables security professionals to share threat data and benefit from data shared by others

HOW DOES THE ALIENVAULT OTX WORK?

VALIDATION ENGINE

ALIENVAULT LABS

MALWARE ANALYSISSANDBOX

EXTERNAL FEEDS

WEB CRAWLER

ALIENVAULT OSSIM

USM SITES

OTX

CROWD-SOURCED THREAT DATA SOURCES

Validation Engine

AlienVault Labs

Malware AnalysisSandbox

External Feeds

Web Crawler

OSSIMUSM

OTX• 17,000 Contributions a day• 140+ Countries• Threat data from

• Built-in IDS Signatures• Normalized Event Logs

• Firewalls• Content Filters• IPS/IDS• Proxies• Network devices• Web Servers• Other

SECURITY RESEARCH COMMUNITY SHARED DATA

Validation Engine

AlienVault Labs

Malware AnalysisSandbox

External Feeds

Web Crawler

OSSIMUSM

OTX• 50+ external threat sources

• IP Addresses• Domain Names• URLS• Malware Samples

URL & MALWARE ANALYSIS

Validation Engine

AlienVault Labs

Malware AnalysisSandbox

External Feeds

Web Crawler

OSSIMUSM

OTX• 500,000 samples analyzed

per day

• Analysis generates• Threat data• Additional samples• URL’s• Domain names

THREAT TYPES DETECTED

Scanning HostHost observed scanning or probing remote systems

Spamming HostHost used to propagate or distribute spam

Malware IPHost observed propagating malware, including malicious redirection

Command and ControlHost confirmed to be sending command and control instructions to malware as part of a botnet or APT attack

Malware DomainHost confirmed to be distributing malware or hosting exploit code

Malicious HostHost observed participating in an activity that does not fall into the other categories (web attacks, known exploits)

THREAT DATA VERIFICATION PROCESS

Scoring & Validation

Confirmation by other sources Voting based on known abuse

patterns Dynamic DNS Residential Hosting Providers Bulk Domains Heuristic Patterns Other

White-listing known sources of false positives AWS Microsoft Update File Sharing Other

Expiration

Contributed data – expires after 30 days

Scanning – expires after 30 days without additional evidence

Malware – validate ongoing hosting

Web-based threats – confirm ongoing activity

OTX THREAT DATA PRODUCED

Updates provided every 30 minutes 200,000-350,000 validated malicious IP’s at any

point122.225.118.219 # Scanning Host CN,Hangzhou,30.2936000824,120.161399841122.225.118.66 # Scanning Host CN,Hangzhou,30.2936000824,120.161399841188.138.100.156 # Malware IP;Scanning Host DE,,51.0,9.0211.87.176.197 # Scanning Host CN,,35.0,105.095.163.107.201 # Spamming RU,,60.0,100.0188.138.110.48 # Malicious Host;Scanning Host DE,,51.0,9.072.167.131.220 # Malware IP US,Scottsdale,33.6119003296,-111.890602112174.120.172.125 # Malware IP US,Houston,29.7523002625,-95.3669967651210.148.165.67 # Malware IP JP,,36.0,138.075.75.253.84 # Spamming US,Henderson,36.0312004089,-115.073898315

OTX IN ACTIONOTX ThreatFinderFree service to analyze log files for threats

Unified Security Management (USM) All-in-one platform to simplify threat detection and compliance

ALIENVAULT THREATFINDER – FURTHER INVESTIGATION

1. Look at the AlienVault threat details page - what type of threat is it?

• A suspected exploit-kit serving website is more concerning than a scanning host

2. Has the activity reported stopped or is it ongoing?

3. Check the comments section and discuss your investigation with the community

4. Dig into your environment and see if you can draw any conclusions about the host affected

• Is it a workstation or server that the alert is associated with?

• If it’s a server, is there a legitimate reason that it would be communicating with the external threat?

• If it’s a workstation, is the user reporting any unusual issues with their system?

5. If you have Intrusion Detection/Prevention System(s), search the alerts for the malicious IP

6. Query your SIEM or log management system, etc.

7. If you conduct security investigations without the help of any tools at all, you might try:

• Searching network device logs for indications of prolonged activity with the external threat

• Searching system logs for indications of suspicious activity originating from the asset

WHAT TO DO WHEN YOU GET A FALSE POSITIVE?

Within AlienVault: FLAG IP FOR REVIEWProvide any evidence of a false positive that you can. It will be sent to the security research team for review.

NOW FOR SOME Q&A…

Join OTXFree ThreatFinder

http://www.alienvault.com/open-threat-exchange/threatfinder

Free Reputation Monitor

http://www.alienvault.com/open-threat-exchange/reputation-monitor

Test Drive AlienVault USMDownload a Free 30-Day Trial

http://www.alienvault.com/free-trial

Try our Interactive Demo Sitehttp://www.alienvault.com/live-demo-site