Thursday, 25 May 2017

Alienvault Threat Intelligence and Pulse creation

OTX Reputation Monitor Alert – free service What is AlienVault’s OTX Reputation Monitor Alert? Leveraging the world’s only open and collaborative IP reputation database, AlienVault’s OTX Reputation Monitor Alert monitors the reputation of your assets (public IPs and domains) and emails you notifications whenever there are changes.

What threats does it uncover? Malware Infections Spamming Hosts Malicious Activity Potential Breaches Compromised Websites Hosts being used for Botnets 8.

Where are we monitoring for you? These events will trigger an alert:

     OTX IP/Domain Match
     Presence in Pastebin/Pastie
    Presence on a DNS Blacklist
    DNS Registration Update – informational only
    SSL Certificate Update – informational only

How does the service work :

 1. Sign up via our OTX portal.
 2. Register your organization’s public IPs and domains.
 3. When there’s a match on one of our alert types, we’ll email you an alert with
        more information and remediation advice.
 4. You’ll also receive our monthly threat intelligence newsletter. Registration takes
    just a few minutes…

What is Open Threat Exchange (OTX) :

   An open and collaborative initiative for security professionals to connect with their
    peers, find free tools for security monitoring,  and learn about the latest threats
   and defensive tactics from security researchers.

   Open source threat intelligence projects and services including OSSIM and
       OTX Reputation Monitor Alert.

   Centralized place for these rich resources:
   OTX Projects
  OTX Blog
  OTX Forums
  OTX Learning Center

What is Threat Intelligence :

 Information about malicious actors.

 • Helps you make better decisions about defense
 • Examples: IP addresses, Domains, URL’s, File Hashes, TTP’s, victim’s industries, countries..

Standards & Tools :

 • IODEF: Incident Object Description Exchange Format
 • MITRE: – STIX: Structured Threat Information eXpression –
            TAXXII: Trusted Automated eXchange of Indicator Information – MAEC, CAPEC, CyBOX
 • CIF: Collective Intelligence Framework

What is IP Reputation : IP Reputation is a summary of the past behavior activity detected on an IP An IP with reputation information add context when a network connection is observed.

What is an IP Reputation engine : An IP Reputation engine is a system to classify and score large sets of IPs, in low or high reputation.

Domain Reputation & Heuristic Domain :

The industry’s reticence to share information about attack vectors gives the adversary a huge advantage. Using Threat Intelligence we can reduce this advantage and enable preventative response.
We will guide you through the different standards (OpenIOC, STIX, MAEC, OTX, IODEF…) to describe and share cyber intelligence, as well as Open Source Frameworks such as CIF (Collective Intelligence Framework) that allows you to combine different threat sources.

One of the biggest problems with Threat Intelligence is finding out how to take advantage of the data you have to actually improve the detection/prevention capabilities in your environment. We will describe how to leverage Threat Intelligence to detect threats and provide defenses, and we will focus on how to use Open Source Tools (Suricata, OSSIM, OSSEC, Bro, Yara…) to get the most of your Threat Intelligence.

(check sandbox and CIF integration)

Delivery & Attack : means a type of Alarm which generates alert about “an attempt to deliver an exploit” to the monitored system.

Open Threat Exchange(OTX) :

                        OTX allows anyone in the security community to actively discuss, research, validate, and share the latest threat data, trends, and techniques.

The OTX community reports on and receives threat data in the form of pulses. An OTX pulse consists of one or more indicators of compromise (IOCs) that constitute a threat or define a sequence of actions that could be used to carry out attacks on networks devices and computers. OTX pulses also provide information on the reliability of threat information, who reported a threat, and other details of threat investigations.                

All OTX members receive pulse information through their OTX Activity feed, as well as receive updates about pulses through email. This information appears as soon as you open an OTX account. OTX data can be used to enhance the threat detection capabilities, using SIEM tools.

You can sign up and set up an OTX account based on an email address, or you can use your existing Twitter or Google+ account.

Go to

After you got confirmation mail go to OTX Home page where you will see all current pulse activity.

After logging in to the OTX user interface, you can begin examining the current threat activity being reported by various contributing members and groups. OTX lets you browse and search all current threats being reported, track updates on specific threat pulses, and follow or subscribe to the
contributions of specific pulses, members, and groups.

he main, middle portion of the display provides an activity feed or stream of OTX pulses. At the top of this stream, the OTX user interface provides three main tab selections to display results for Pulses, Activity, and Suggested Edits.

Besides the short results displayed for each pulse, you can click on a specific pulse in the results list, to view more detailed information about the pulse, additional attributes, and indicators of compromise (IOCs) for the pulse.

In this panel, you can click the Find a Group link or the Plus ( ) button to find and join other groups of OTX users that you may share interests with. You can choose options to Join an Existing Group, Join a Private Group, or Create a Group.

Note: Joining groups means you will get alerts when pulses are added, and you can retrieve pulses more easily into a SIEM solution using the OTX DirectConnect API. Some groups are private, so pulses contributed from those groups can only be viewed if you are a member.

In the left-side panel, you can click the Profile ( ) button to view pulses sorted, in order, by different categories. By default, the result list shows pulses across all categories. From the tab menu bar, you can select to view pulses by categories such as by Groups (N), Followers (N), Following (N), Subscribers (N), and Subscribing (N).

The lower portion of the pulse details display provides a comment section and information on Indicators of Compromise (IOCs) for the selected pulse. Depending on the particular indicator of compromise, the Indicator Details page can be very simple or it can include a great deal of information and research, based on how much information is available or known about the indicator at any given time.

IP Reputation Data Sources :

       IP Reputation receives data from a variety of sources, including the following:
       Hacker forums
       Open-source intelligence — Public and private security research organizations.

Browsing OTX :

            You can search by a number of fields within pulses. In the created and modified fields, search criteria is specified in the format <number ymd. For example,
<1w would search all pulses within the last week.


Subscribing to a publicly-created pulse allows automatic export of its raw data to the security tools you use to monitor security in your environment (provided you have configured your security tools to connect with OTX). 

Note: When you unsubscribe from a pulse, you still receive information about the threat in your OTX pulse activity feed, but no raw data is pulled into your security tools for correlation and generation of alarms. You might consider unsubscribing to a pulse if it is creating too much noise and generating too many false positive alarms in USM Appliance or whatever security monitoring tools your organization is using.

You may also subscribe to or follow public OTX contributors, in addition to subscribing to individual pulses.

Subscribing to an OTX member or contributor directs OTX to send all of the contributor’s pulses or IOCs to the tools used to monitor security in your environment.

Pulse and IOC contributions from an OTX member or contributor you subscribe to automatically appear in your OTX pulse activity feed, and you also receive emails every time they update one of their pulses or when they create a new pulse.

Note: After subscribing to a pulse, you can also always unsubscribe from the pulse, if it is creating too much noise and generating too many false positive alarms in USM Appliance or whatever security monitoring tools your organization is using. When you unsubscribe from a pulse, you still receive information about the threat in your pulse activity feed, but no raw data is pulled into your security tools for correlation and generation of alarms.

Contributing to OTX :

         Note: You can choose to stop sharing data with OTX at any time by going to the USM OTX Configuration page (Configuration > Open Threat Exchange).

Creating and Updating Pulses :

When you choose to create and contribute pulses to OTX, you can use a number of different methods to do so:

  * Use the OTX extraction wizard to pull IOCs from your favorite sources. These can be blogs,
emails, a PDF file, log files, or any other malware sources—any file that has a textual description of a threat. You can also import Open IOC 1.x and STIX files.

 * Manually add indicators of compromise to create a pulse.
 * Copy and paste indicators into the detail of a new pulse.
 * Clone an existing pulse possessing the characteristics of a pulse you want to
 create, and then edit the cloned pulse to create a new pulse.
 * Open an existing pulse you’ve created and add indicators, either manually or using
            the AlienVault Indicator Extractor.

  1. From the OTX main menu, select Create Pulse.

  2. In the Extract from Source (AlienVault Indicator Extractor) section of the Create New Pulse page, do one of the following, depending on the type of indicator you want to define for the new pulse:
          Type the URL of a website or blog.
           Drag and drop a text file (for example, a PDF, text, plain text log,
                                               STIX, or OpenIOC file).
           Paste the text describing an indicator.

  3. Click Next.
       OTX processes the request and displays the new pulse page with the newly Included indicators.

  4. If OTX found any excluded IOCs, review the list of Excluded IOCs tab.

 This tab includes items that OTX determined were unlikely to pose threats.
However, it is good practice to scan the list anyway, in case you see something about which you do not agree.

  5. If you see something suspicious on the list, transfer it to the list of Included IOCs.

  6. Click Next.
 OTX displays a final Create New Pulse page to include other details describing the new pulse you want contribute. The specific indicator you added on the previous page, and its type (for example, domain), appear on the right side of the page.

   7. Identify the pulse and complete the pulse description with the following information:
        TLP — Indicate the Traffic Light Protocol (TLP) for the threat by expanding the TLP list. The TLP consists of designations used to help ensure that sensitive information is shared with the correct audience. Its four colors indicate different degrees of sensitivity and the corresponding sharing considerations to be applied by the recipient(s). For guidance, see

Name — Give the pulse a concise name that uniquely characterizes the threat. This could consist of where the threat was found or what type of malware it represents, for example, “New PoSeidon spotted”.

Description — Describe the pulse in terms of where you found it, the type of threat it poses, and any other facts that may link it to other threat indicators.

Private — Indicate whether or not you want to share the pulse with others or make it private. (Private means that you do not want to share the pulse with others, because you need to conduct more research.)

Tags — If your IOC is a URL, OTX creates relevant tags based on its analysis of the URL. You can review any of these tags, and delete them, or you can add a new tag you feel is relevant.

Groups — Add groups to associate with pulse.

Industries — Specify primary industries targeted by threat.

Targeted Countries — Specify countries that have been targeted by threat.

8. After reviewing all your entries for the new pulse, click Submit.

Integrating OTX Data with External Security Monitoring Systems :

   To leverage OTX threat intelligence within your own security monitoring and management systems and tools, you can easily do that by taking advantage of the AlienVault OTX DirectConnect API and DirectConnect SDK. You can connect to the OTX API using DirectConnect Agents available for a number of specific products and third party tools.

The DirectConnect SDK provides support for development of DirectConnect agents or connectors for the following programming environments:
    You can also always access the DirectConnect API using a command-line FTP/HTTP data transfer tool such as curl to access OTX threat intelligence information. For example:

curl -H "X-OTX-API-KEY a5bb241cd31fc1db69fcf0fd611161606061b9445e3758fd3e71d50e6477e12a"

2. The OTX user interface directs you to the AlienVault Labs SDK documentation page on GitHub for the specific language option you selected, for example, the OTX-Python-SDK resource page.

To access the Direct API SDK from the Settings Page :

1. From the OTX user interface Home page, click on the Settings ( ) icon and choose the
Settings menu option.

2. In the OTX key section of the page, click the Use the OTX API SDK link.

3. The OTX user interface directs you to the AlienVault Labs SDK documentation page on GitHub
which provides various support reference links for each of the different languages that are supported for the API.

No comments:

Post a Comment