Product Open Threat Exchange (OTX)
Price No cost.
What it does Collects indicators of compromise from a very large user community and makes them available in a wide variety of ways.
What we liked Completeness of the data and flexibility of the ways to use it.
The AlienVault Open Threat Exchange (OTX) is among our most useful threat intelligence tools. It is an open source of indicators of compromise (IoCs) supported by the community. That community comprises both AlienVault users and those who are not customers of AlienVault. If you own an AlienVault appliance, however, you can both consume and automatically contribute what the company calls “pulses.” At this writing there are 24,000-plus users who have contributed over 792,000 indicators in more than 6,000 pulses. Each pulse contains a collection of IoCs targeted at a particular focus. For example, during the recent frenzy over Grizzly Steppe there were six pulses contributed over the course of four days.
Access to the OTX is through URL https://otx.alienvault.com/browse/pulses/. Once in the tool you can browse pulses or search based on adversary, author, pulse, industry and several other parameters. You also can subscribe to particular users and groups so that you receive emails of new pulses contributed by those entities. If you wish to contribute pulses, you can create an account at no cost.
Indicators can be of just about any type that we commonly associate with IoCs. The OTX recognizes, among other types, the usual IPv4, IPv6, CIDR address blocks, CVEs, domains, hashes, email addresses, hostnames and URI/URLs. Particularly interesting are the searching methods available that go beyond single searches to allow such techniques as pivoting.
For example, if you search on the IOCs associated with the intrusion into the Democratic National Committee, you would find a total of 20 indicators including URLs, IPv4 addresses, domains and file hashes. If you are interested in where else certain malware showed up – an aid to attribution – you can click on each file hash and see if there are any related pulses. One particular hash shows two. Clicking on more details gives us the two pulses, one we know about but there is another called “Tunnel of Gov: DNC Hack and the Russian XTunnel.” Clicking on that gives us some more hashes.
We can copy those hash values and feed them to another resource, such as VirusTotal, Invincea or malwr.com. This expands the value of the indicator to help provide attribution (Invincea, for example, could not confirm or deny Russian attribution of the XTunnel malware but did determine that it was custom built to penetrate the DNC) and identify other malware that may be from the same family.
The OTX also has an API that allows direct connection to AlienVault products as well as connectors for TAXII servers, Suricata and Bro-IDS. Pulses can be downloaded in CSV, OpenIOC 1.0 and 1.1 and STIX. We exported several pulses in STIX format and were able to feed them to a free tool, called STIXViz, for visualization and further analysis. In addition to the downloads, searching and pivoting capabilities of the OTX, the community is free to comment within pulses – adding a dimension of information beyond the IoC itself.
Another benefit of the OTX is the ability to construct a campaign out of indicators of compromise. In STIX-talk, a campaign has indicators, observables, actors, etc. All of these elements may be available on the OTX depending on the contributions of the community. However, using a STIX editor, such as Soltra Edge, these components can be stitched together to form a rudimentary campaign. The draft campaign can then be enriched by future pulses and data from other sources. The result is a complete picture that can be used to pre-load defensive devices with data needed to fend off attacks based on the campaign in the future.
But the usefulness of OTX in that regard does not require the complete data for a full campaign. Any indicators may be quite useful when protecting your enterprise. Whether used with AlienVault products or exported in a format that other tools can consume, the indicators in the pulses on the OTX are valuable and in a form that is easily consumable. For example, clicking on a particular indicator gives details about the indicator derived from a variety of sources, such as VirusTotal, whoIs data, first and last seen and several other external sources, such as Alexa (provenance of a URL) and URL Void (blacklists).
We like the tool and it is one of the staples in the SC Lab. For more detailed information about the OTX, go here for the user guide.