AT&T Alien Labs Open Threat Exchange (OTX) operates as a no-cost, centralized threat intelligence sharing platform that encourages collaboration among security teams from around the globe. OTX combines the information gathered from these good actors and AT&T Alien Labs’ own research to offer a comprehensive support system.
Analysts may upload data into the platform manually or automatically. The platform then organizes this information into groups based on indicators of compromise and Pulses. Pulses may include CVEs, domains, and host names. Creating a new Pulse triggers an extraction tool that automatically pulls indicators of compromise from a variety of sources, including websites, blog posts, and PDF reports. These automated extractions become valuable threat hunting aids for analysts while they also help machine learning produce thorough intelligence summaries.
If an analyst tries to input a Pulse that already exists within the platform, OTX accepts and conducts forensics on it to enrich existing platform information with new indicators of compromise. OTX also provides the inputting analyst with the option of subscribing to a corresponding threat intelligence group. The feed of a threat intelligence group functions like a social media platform feed where analysts may share with the community any Pulses they have created. Everyone subscribed to an intelligence group will receive notifications regarding all new Pulses and indicators of compromise. Threat intelligence groups are either public or private. Anyone may subscribe public groups, while only subscribers may access private groups and the Pulses they have created.
The dashboard displays current threat information and trends. It’s also well-organized and intuitive so analysts can quickly delve into specific details regarding malware families and related Pulses. Analysts may pivot as much as they want in the platform, easily moving from the overview into searches and investigations. The CVE page offers a basic overview of vulnerability information, such as related Pulses and CVE severity. Analysts may easily search and filter this information to uncover further threat actor details and identify campaigns that have targeted similar industries. The data and intelligence information are aggregated into easily digested, single-pane reports.
All platform users may submit files and URLs to the malware sandbox for dynamic or static analysis. An initial sweep of a file lets the platform gauge whether a dynamic analysis would be worthwhile. If so, OTX executes the file and assesses all endpoint and memory activities to determine a severity rating.
AT&T Alien Labs OTX works as a useful threat intelligence resource for organizations of all sizes. Large companies will appreciate OTX’s ability to integrate seamlessly with products such as the AT&T Threat Detection and Response platform and to enhance existing SIEM solutions. Smaller companies and those with limited IT budgets will appreciate its price point. In short, security pros will find OTX an easy-to-use platform that will benefit any organization.
This free, open source platform includes support via email and the OTX user forum. Organizations also have access to a knowledgebase with generic documentation and FAQ list. AT&T also provides phone support if OTX is integrated into a commercial AT&T cybersecurity product.
Written by Katelyn Dunn
Tested by Tom Weil