Applies to Product: | USM Appliance™ | LevelBlue OSSIM® |
Open Threat Exchange®(OTX™) is a threat data platform that allows security researchers and threat data producers to share research and investigate new threats.
OTX provides open access for all, allowing you to collaborate with a worldwide community of threat researchers and security professionals. This access enables collaborative research by allowing everyone in the OTX community to actively share threat data, trends, and techniques.
In addition to accelerating the distribution of the latest threat data, OTX automates the process of updating your security infrastructure. By offering a platform for the community of security analysts to actively collaborate, OTX strengthens the defenses of all who use it.
Information in OTX derives from both public and private entities, as well as other resources.
The OTX platform consists of two chief components:
-
Pulses
Collections of indicators of compromise (IoCs), reported by the OTX community, which other community members review and comment on. Pulses provide you with a summary of the threat, a view into the software targeted, and the related IoCs, reported by the OTX community worldwide. See OTX Pulses and Indicators of Compromise.
-
IP Reputation
Provides notification of communication between known malicious hosts and your assets. See OTX IP Reputation.
OTX Pulses and Indicators of Compromise
The OTX community reports on and receives threat data in the form of “pulses.” A. pulse consists of at least one, but more often multiple Indicators of Compromise (IoCs).
An IoC is an artifact observed on a network or in an end point judged with a high degree of confidence to be a threat vector. Examples of threat vectors include campaigns or infrastructures used by an attacker. The following table provides a list of IoC types.
IoC Type | Description |
---|---|
CIDR | Classless inter-domain routing. Specifies a range of IP addresses on a network that is suspected of malicious activity or attack. |
CVE | Standards group identification of Common Vulnerabilities and Exposures (CVEs). |
domain | A domain name for a website or server suspected of hosting or engaging in malicious activity. Domains may also encompass a series of hostnames. |
An email address associated with malicious activity. | |
FileHash (MD5, SHA1, SHA256, PEHASH, IMPHASH) | A hash computation for a file that can be used to determine whether contents of a file may have been altered or corrupted. |
filepath | Unique location in a file system of a resource suspected of malicious activity. |
hostname | The hostname for a server located within a domain, suspected of malicious activity. |
filepath | Unique location in a file system of a resource suspected of malicious activity. |
IPv4, IPv6 | An IP address used as the source/destination for an online server or other device suspected of malicious activity. |
Mutex | Mutual exclusion object allowing multiple program threads to share the same resource. Mutexes are often used by malware as a mechanism to detect whether a system has already been infected. |
FileHash-SHA256 | A SHA256-format hash that summarizes the architecture and content of a file deemed suspicious. |
URI | A uniform resource identifier (URI) that describes the explicit path to a file hosted online, which is suspected of malicious activity. |
URL | Uniform resource locations (URLs) that summarizes the online location of a file or resource associated with suspected malicious activity. |
OTX IP Reputation
OTX IP Reputation identifies IP addresses and domains worldwide that are submitted by the OTX community. IP Reputation verifies them as either malicious or, at least, suspicious until more data comes in to increase their threat ranking. Through its incoming IP data from all of these sources, IP Reputation supplements OTX data with valuable data about actively or potentially malicious activity appearing worldwide that can affect your system.
IP Reputation Data Sources
IP Reputation receives data from a variety sources
- Hacker forums
- Open-source intelligence — Public and private security research organizations.
- USM Appliance/LevelBlue OSSIM® deployments—Consists of users who have voluntarily agreed to anonymously share information about external traffic into their network with LevelBlue.
Note: AlienVault ensures that none of the data shared with OTX can be traced to the contributor or their USM Appliance instance.
Who Has Access to IP Reputation?
All USM Appliance users receive the benefit of IP Reputation data whether or not they sign up for an OTX account.
When you open an OTX account, you may elect to share IP Reputation data with other OTX users. Any data you contribute are anonymous and secure.
Note: You can configure USM Appliance to stop sharing IP Reputation data with OTX at any time by visiting the Open Threat Exchange Configuration page.
IP Reputation Ranking Criteria
IP Reputation uses ranking criteria based on IP Reliability and IP Priority that OTX updates on an ongoing basis to calculate changing assessments to risk level. This helps prevent false positives.
IP Reliability
IP Reputation data derives from many data sources of differing reliability. Ranking in this case is based on the relative number of reports regarding a malicious IP in relation to others reported. If, for example, OTX receives 10 reports on a given IP address versus 20 on another, it gives the IP with 10 reports a lower reliability ranking than the IP with 20 reports.
IP Priority
OTX ranks IP address priority, based on the behavior associated with each IP address listed. For example, an IP address used as a scanning host receives a lower priority than an IP address known to have been used as a Botnet server.
Ongoing Ranking Reassessment
OTX constantly updates its IP Reputation data as new information emerges affecting IP reliability or priority criteria. Each update reprioritizes IP reliability and priority values and the threat level of an IP accordingly.
AlienVault OSSIM Limitations: Although LevelBlue OSSIM has a complete integration of OTX in its environment, the additional alarm context compiled by the LevelBlue Labs™ Security Research Team to analyze and validate OTX threat data is only available in USM Appliance.