AT&T Alien Labs™ Open Threat Exchange®The world’s first truly open threat intelligence community that enables collaborative defense with actionable, community-powered threat data. This repository provides a continuous view of real time malicious activity. (OTX™) is a threat data platform that provides open access for all, allowing you to collaborate with a worldwide community of threat researchers and security professionals.
On the OTX page, you can connect the deployed USM Anywhere SensorSensors are deployed into an on-premises, cloud, or multi-cloud environment to collect logs and other security-related data. This data is normalized and then securely forwarded to USM Anywhere for analysis and correlation. to your OTX account. Once connected, the sensor starts to receive raw pulse data from OTX and USM Anywhere correlates that data.
When it detects Indicators of Compromise (IOCsIndicator of Compromise) interacting with assetsAn IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. in your environment, USM Anywhere generates related OTX pulseOTX pulses provide information on the reliability of threat data, who reported a threat, and other details of threat investigations. and IP ReputationThreat ranking of IP addresses that have been submitted by the OTX community as being malicious or at least suspicious.-related security eventsInformation collected and displayed that describes a single system or user level activity that took place. and alarmsAlarms provide notification of an event or sequence of events that require attention or investigation.. The platform consists of these two chief components:
- Pulses: Collections of indicators of compromise (IOCs)An artifact observed with some degree of confidence to be an indication of a threat or intrusion., reported by the OTX community, which other community members review and comment on. Pulses provide you with a summary of the threat, a view into the software targeted, and the related IOCs, reported by the OTX community worldwide. See About OTX Pulses and IOCs.
- IP Reputation: Provides notificationCommunication of an important event, typically through an email message or other desktop display. In USM Appliance, notifications are typically triggered by events, policies, and correlation directives, and in USM Anywhere, they are typically triggered by notification rules or directly from alarms. of communication between known malicious hostsReference to a computer on a network. and your assets. See About OTX IP Reputation.
The OTX community reports on and receives threat data in the form of pulses. A pulse consists of at least one, but more often multiple, Indicators of Compromise (IOCs).
An IOC is an artifact observed on a network or in an end point, judged with a high degree of confidence to be a threat vector. Examples of threat vectors include campaigns or infrastructures used by an attackerOne who maliciously attempts to bypass security restrictions or negatively impact a system or resource.. This table provides a list of IOC types:
|CIDRClassless Inter-Domain Routing, which provides a method for allocating IP addresses, routing Internet protocol packets, and subdividing networks. CIDR notation provides a syntax for specifying a range of IP addresses. Rules||Classless inter-domain routing. Specifies a range of IP addresses on a network that is suspected of malicious activity or attack.|
|CVEThe CVE system provides a method, using CVE IDs, to reference publicly known information security vulnerability and exposures in publicly released software packages and environments. number||Standards group identification of Common Vulnerabilities and Exposures (CVEs).|
|Domains||A domain name for a website or server suspected of hosting or engaging in malicious activityActivity in a system that exceeds or misuses that access in a manner that negatively affects the confidentiality, integrity, or availability of the organization's information systems.. Domains may also encompass a series of hostnamesA hostname is a label that is assigned to a device connected to a computer network and is used to identify the device on the network..|
|An email address associated with malicious activity.|
|File Hashes (MD5, SHA1, SHA256, PEHASH, IMPHASH)||A hash computation for a file that can be used to determine whether contents of a file may have been altered or corrupted.|
|File Paths||Unique location in a file system of a resource suspected of malicious activity.|
|Hostnames (subdomains)||The hostname for a server located within a domain, suspected of malicious activity.|
|IP Addresses||An IP address used as the source/destination for an online server or other device suspected of malicious activity.|
|MUTEX Name||Mutual exclusion object allowing multiple program threads to share the same resource. Mutexes are often used by malwareGeneric term for a number of different types of malicious code including viruses, worms, and Trojans. as a mechanism to detect whether a system has already been infected.|
|URI||A uniform resource identifier (URI) that describes the explicit path to a file hosted online, which is suspected of malicious activity.|
|URL||Uniform resource locations (URLs) that summarizes the online location of a file or resource associated with suspected malicious activity.|
OTX IP Reputation identifies IP addresses and domains worldwide that are submitted by the OTX community. IP Reputation verifies them as either malicious or, at least, suspicious until more data comes in to increase their threat ranking. Through its incoming IP data from all of these sources, IP Reputation supplements OTX data with valuable data about actively or potentially malicious activity appearing worldwide that can affect your systems.
IP Reputation Data Sources
IP Reputation receives data from a variety of sources:
- Open-source intelligence: Public and private security research organizations.
- USM Anywhere deploymentsEntire process involved in installation, configuration, startup, and testing of hardware and software in a specific environment.: Consists of users who have voluntarily agreed to anonymously share information about external traffic into their network with AT&T Cybersecurity.
Note: AT&T Cybersecurity ensures that none of the data shared with OTX can be traced to the contributor or their USM Anywhere deployment.
Who Has Access to IP Reputation?
All USM Anywhere users receive the benefit of IP Reputation data whether or not they sign up for an OTX account.
When you open an OTX account, you may elect to share IP Reputation data with other OTX users. Any data you contribute are anonymous and secure.
Note: You can configure USM Anywhere to stop sharing IP Reputation data with OTX at any time by visiting the Open Threat Exchange Configuration page.
IP Reputation Ranking Criteria
IP Reputation uses ranking criteria based on IP Reliability and IP Priority that OTX updates on an ongoing basis to calculate changing assessments to risk level. This helps prevent false positivesA condition that is flagged as a vulnerability or weakness that is not actually a concern. This may be caused by other mitigating conditions (such as additional security technology) or inefficient tuning of detection technology..
IP Reputation data derives from many data sources of differing reliability. Ranking in this case is based on the relative number of reports regarding a malicious IP in relation to others reported. If, for example, OTX receives 10 reports on a given IP address versus 20 on another, it gives the IP with 10 reports a lower reliability ranking than the IP with 20 reports.
OTX ranks IP address priority, based on the behavior associated with each IP address listed. For example, an IP address used as a scanning host receives a lower priority than an IP address known to have been used as a Botnet server.
Ongoing Ranking Reassessment
OTX constantly updates its IP Reputation data as new information emerges, affecting IP reliability or priority criteria. Each update re-prioritizes IP reliability and priority values and the threat level of an IP accordingly.