Your SlideShare is downloading. ×
AlienVault Open Threat Exchange: Threat Report
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

AlienVault Open Threat Exchange: Threat Report

1,372

Published on

Tracking the Internet Explorer zero-day using the AlienVault Open Threat Exchange. AV-OTX enables the AV-USM to perform collaborative defense. Users of the platform can opt-in to this program to share …

Tracking the Internet Explorer zero-day using the AlienVault Open Threat Exchange. AV-OTX enables the AV-USM to perform collaborative defense. Users of the platform can opt-in to this program to share anonymous information related to detected attack patterns and malicious actors. The AlienVault Labs research team refines this data and provides all participants a global reputation feed, sharing intelligence on who is attacking and how, in order to improve our defenses. Learn more: www.alienvault.com

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,372
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Crowd-sourced?Fool
  • OSINT, we were able to use the WHOIS mail address and the IP addresses used by the attackers to find fake domains registered by them that contain specific names of companies related with:• US aircraft and weapons delivery systems • US defense decoy countermeasures • US aerospace and defense technology • US supplier for repairs of tactical fighters• Laboratory for energetic systems and materials• UK defense contractorWe also found a fake domain of a company that builds turbines and power sources used in several applications including utilities and power plants. We were able to check that the official website of the company was compromised as well and it was serving the Internet Explorer Zero-Day to the visitors.
  • Key Takeaways• Targeting specific industries is a new tactic for cybercriminals attempting to take advantage of common application vulnerabilities.• Zero day exploits like the IExplorer Zero-Day highlight the need for global security intelligence such as IP Reputation-based profiling, such as that offered by AlienVault's Open Threat Exchange (OTX).
  • Transcript

    • 1. Open Threat Exchange: Threat Report Internet Explorer Zero-Day Exploit
    • 2. AlienVault Open Threat ExchangeQuick Overview
    • 3. Open Threat Exchange (OTX™)Allows for collaboration acrossthe OSSIM open-sourcecommunity to enhance threatassessment and response
    • 4. OTX™ Contributors77 Countries
    • 5. Open Threat Exchange: Reputation Alert • One installation in the world’s largest SIEM deployment detects a new threat • AlienVault Labs reacts to the emerging threat and publishes new correlation rules • Every AlienVault SIEM installation receives the Threat Exchange updateOTX facilitates secure collaboration to identify and protects against theemerging threats and prevent compromise. Providing threatthe broadest based Reputation Feed in the world.
    • 6. Collaborative Defense - Open Threat Exchange Social Threat sharing Global threat trending Allow analysts to share comments on I.P. Reputation / Attacks Malware extraction Malware behavioral id with post- correlation
    • 7. Open Minds ExchangeCentralized Open Threat Exchange Data & Threat Reports
    • 8. Open Your Minds to Ours…http://alienvault.com/company/news/resource-center/open_minds_exchange.html
    • 9. Open Minds Exchange: ThreatReports
    • 10. Internet Explorer Zero-Day At-A-Glance Tracking of the Internet Explorer zero-day began on September 16, 2012 Security blogger Eric Romang broke the news that a new zero-day, very similar to the one we had seen earlier attacking Java, had been exploited in the wild Now… targeting Microsoft’s Internet Explorer. The #2 most pervasive web browser.
    • 11. Specific Findings Took three days to uncover capabilities and roots of new threat. Most likely, same folks behind Java zero- day exploit (and PlugX RAT). Targets Versions 7 & 8 of IE as well as Windows XP Industry focus: seems to be targeting defense and industrial market segments
    • 12. Tracking them down… Used OSINT – take the WHOIS mail address + source IP addresses to find fake domains registered by them These entries contain specific names of companies related with: US aircraft and weapons delivery systems US defense decoy countermeasures US aerospace and defense technology US supplier for repairs of tactical fighters Laboratory for energetic systems and materials UK defense contractor Also found a fake domain of a company that builds turbines and power sources used in applications including utilities and power plants. The official website of the company was also compromised and serving up the exploit to website visitors.
    • 13. Key Takeaways Targeting specific industries is a new tactic for cybercriminals attempting to take advantage of common application vulnerabilities. Zero day exploits like the IE Zero-Day highlight the need for global security intelligence such as IP Reputation-based profiling, such as that offered by AlienVaults Open Threat Exchange (OTX). It’s essential to keep software up to date and implement responsive patch management procedures. Helps shrink the window of vulnerability once discovered However, defensive measures such as blocking the offending source IP addresses are essential as a first step.
    • 14. Resources Visit AlienVault’s Open Minds Exchange. Download OSSIM or participate in the OSSIM Community. Learn more about AlienVault’s Unified Security Management platform. Follow us on twitter @alienvault

    ×