Open Threat Exchange® and USM Appliance

Applies to Product: USM Appliance™ AlienVault OSSIM®

Open Threat Exchange®(OTX™) is a threat data platform that allows security researchers and threat data producers to share research and investigate new threats.

OTX provides open access for all, allowing you to collaborate with a worldwide community of threat researchers and security professionals. This access enables collaborative research by allowing everyone in the OTX community to actively share threat data, trends, and techniques.

In addition to accelerating the distribution of the latest threat data, OTX automates the process of updating your security infrastructure. By offering a platform for the community of security analysts to actively collaborate, OTX strengthens the defenses of all who use it.

Information in OTX derives from both public and private entities, as well as other resources.

The OTX platform consists of two chief components:

  • Pulses

    Collections of indicators of compromise (IoCs), reported by the OTX community, which other community members review and comment on. Pulses provide you with a summary of the threat, a view into the software targeted, and the related IoCs, reported by the OTX community worldwide. See OTX Pulses and Indicators of Compromise.

  • IP Reputation

    Provides notification of communication between known malicious hosts and your assets. See OTX IP Reputation.

OTX Pulses and Indicators of Compromise

The OTX community reports on and receives threat data in the form of “pulses.” A. pulse consists of at least one, but more often multiple Indicators of Compromise (IoCs).

An IoC is an artifact observed on a network or in an end point judged with a high degree of confidence to be a threat vector. Examples of threat vectors include campaigns or infrastructures used by an attacker. The following table provides a list of IoC types.

 Indicator of compromise (IoC) types
IoC Type Description
CIDR Classless inter-domain routing. Specifies a range of IP addresses on a network that is suspected of malicious activity or attack.
CVE Standards group identification of Common Vulnerabilities and Exposures (CVEs).
domain A domain name for a website or server suspected of hosting or engaging in malicious activity. Domains may also encompass a series of hostnames.
email An email address associated with malicious activity.
FileHash (MD5, SHA1, SHA256, PEHASH, IMPHASH) A hash computation for a file that can be used to determine whether contents of a file may have been altered or corrupted.
filepath Unique location in a file system of a resource suspected of malicious activity.
hostname The hostname for a server located within a domain, suspected of malicious activity.
filepath Unique location in a file system of a resource suspected of malicious activity.
IPv4, IPv6 An IP address used as the source/destination for an online server or other device suspected of malicious activity.
Mutex Mutual exclusion object allowing multiple program threads to share the same resource. Mutexes are often used by malware as a mechanism to detect whether a system has already been infected.
FileHash-SHA256 A SHA256-format hash that summarizes the architecture and content of a file deemed suspicious.
URI A uniform resource identifier (URI) that describes the explicit path to a file hosted online, which is suspected of malicious activity.
URL Uniform resource locations (URLs) that summarizes the online location of a file or resource associated with suspected malicious activity.

OTX IP Reputation

OTX IP Reputation identifies IP addresses and domains worldwide that are submitted by the OTX community. IP Reputation verifies them as either malicious or, at least, suspicious until more data comes in to increase their threat ranking. Through its incoming IP data from all of these sources, IP Reputation supplements OTX data with valuable data about actively or potentially malicious activity appearing worldwide that can affect your system.

IP Reputation Data Sources

IP Reputation receives data from a variety sources

  • Hacker forums
  • Open-source intelligence — Public and private security research organizations.
  • USM Appliance/AlienVault OSSIM® deployments—Consists of users who have voluntarily agreed to anonymously share information about external traffic into their network with AlienVault.

Note: AlienVault ensures that none of the data shared with OTX can be traced to the contributor or their USM Appliance instance.

Who Has Access to IP Reputation?

All USM Appliance users receive the benefit of IP Reputation data whether or not they sign up for an OTX account.

When you open an OTX account, you may elect to share IP Reputation data with other OTX users. Any data you contribute are anonymous and secure.

Note: You can configure USM Appliance to stop sharing IP Reputation data with OTX at any time by visiting the Open Threat Exchange Configuration page.

IP Reputation Ranking Criteria

IP Reputation uses ranking criteria based on IP Reliability and IP Priority that OTX updates on an ongoing basis to calculate changing assessments to risk level. This helps prevent false positives.

IP Reliability

IP Reputation data derives from many data sources of differing reliability. Ranking in this case is based on the relative number of reports regarding a malicious IP in relation to others reported. If, for example, OTX receives 10 reports on a given IP address versus 20 on another, it gives the IP with 10 reports a lower reliability ranking than the IP with 20 reports.

IP Priority

OTX ranks IP address priority, based on the behavior associated with each IP address listed. For example, an IP address used as a scanning host receives a lower priority than an IP address known to have been used as a Botnet server.

Ongoing Ranking Reassessment

OTX constantly updates its IP Reputation data as new information emerges affecting IP reliability or priority criteria. Each update reprioritizes IP reliability and priority values and the threat level of an IP accordingly.

AlienVault OSSIM Limitations: Although AlienVault OSSIM has a complete integration of OTX in its environment, the additional alarm context compiled by the AT&T Alien Labs™ Security Research Team to analyze and validate OTX threat data is only available in USM Appliance.