Tracking the Internet Explorer zero-day using the AlienVault Open Threat Exchange. AV-OTX enables the AV-USM to perform collaborative defense. Users of the platform can opt-in to this program to share anonymous information related to detected attack patterns and malicious actors. The AlienVault Labs research team refines this data and provides all participants a global reputation feed, sharing intelligence on who is attacking and how, in order to improve our defenses. Learn more: www.alienvault.com
5. Open Threat Exchange: Reputation Alert
• One installation in the
world’s largest SIEM
deployment detects a
new threat
• AlienVault Labs reacts to
the emerging threat and
publishes new correlation
rules
• Every AlienVault SIEM
installation receives the
Threat Exchange update
OTX facilitates secure collaboration to identify and protects against the
emerging threats and prevent compromise. Providing
threat
the broadest based Reputation Feed in the world.
6. Collaborative Defense - Open Threat Exchange
Social Threat sharing
Global threat trending
Allow analysts to share comments on I.P.
Reputation / Attacks
Malware extraction
Malware behavioral id with post-
correlation
10. Internet Explorer Zero-Day At-A-Glance
Tracking of the Internet Explorer zero-day
began on September 16, 2012
Security blogger Eric Romang broke the news
that a new zero-day, very similar to the one we
had seen earlier attacking Java, had been
exploited in the wild
Now… targeting Microsoft’s Internet Explorer.
The #2 most pervasive web browser.
11. Specific Findings
Took three days to uncover capabilities
and roots of new threat.
Most likely, same folks behind Java zero-
day exploit (and PlugX RAT).
Targets Versions 7 & 8 of IE as well as
Windows XP
Industry focus: seems to be targeting
defense and industrial market segments
12. Tracking them down…
Used OSINT – take the WHOIS mail address + source IP addresses
to find fake domains registered by them
These entries contain specific names of companies related with:
US aircraft and weapons delivery systems
US defense decoy countermeasures
US aerospace and defense technology
US supplier for repairs of tactical fighters
Laboratory for energetic systems and materials
UK defense contractor
Also found a fake domain of a company that builds turbines and power
sources used in applications including utilities and power plants. The
official website of the company was also compromised and serving up
the exploit to website visitors.
13. Key Takeaways
Targeting specific industries is a new tactic for cybercriminals
attempting to take advantage of common application
vulnerabilities.
Zero day exploits like the IE Zero-Day highlight the need for
global security intelligence such as IP Reputation-based
profiling, such as that offered by AlienVault's Open Threat
Exchange (OTX).
It’s essential to keep software up to date and implement
responsive patch management procedures.
Helps shrink the window of vulnerability once discovered
However, defensive measures such as blocking the offending
source IP addresses are essential as a first step.
14. Resources
Visit AlienVault’s Open Minds Exchange.
Download OSSIM or participate in the OSSIM
Community.
Learn more about AlienVault’s Unified Security
Management platform.
Follow us on twitter @alienvault
Editor's Notes
Crowd-sourced?Fool
OSINT, we were able to use the WHOIS mail address and the IP addresses used by the attackers to find fake domains registered by them that contain specific names of companies related with:• US aircraft and weapons delivery systems • US defense decoy countermeasures • US aerospace and defense technology • US supplier for repairs of tactical fighters• Laboratory for energetic systems and materials• UK defense contractorWe also found a fake domain of a company that builds turbines and power sources used in several applications including utilities and power plants. We were able to check that the official website of the company was compromised as well and it was serving the Internet Explorer Zero-Day to the visitors.
Key Takeaways• Targeting specific industries is a new tactic for cybercriminals attempting to take advantage of common application vulnerabilities.• Zero day exploits like the IExplorer Zero-Day highlight the need for global security intelligence such as IP Reputation-based profiling, such as that offered by AlienVault's Open Threat Exchange (OTX).