How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks

1,134 views

Published on

Threat sharing networks have been around for a long time, however they have typically been "invitation-only", available to only large companies, or those within a particular industry. The AlienVault Open Threat Exchange is different. It is one of the first (and most diverse) threat sharing networks, open to any and all who wish to join. And, free services like new ThreatFinder help make the threat data in OTX available and actionable by all. Join AlienVault VP of Product Strategy, Russ Spitler, and Systems Engineer, Tom D'Aquino for a practical session covering how to use OTX to improve network security.
Russ & Tom will cover:
How threat intelligence is gathered and vetted in the Open Threat Exchange
How to use the threat data provided by OTX free services
Examples of the types of threats you can identify with OTX
Best practices to investigate and mitigate threats, including a quick tour of AlienVault USM

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,134
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
47
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • Need to add their photos
  • How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks

    1. 1. 2 INTRODUCTIONS Tom D’Aquino Director, Technical Sales AlienVault Russ Spitler VP of Product Strategy AlienVault
    2. 2. AGENDA • Overview of the AlienVault Open Threat Exchange (OTX) • How threat intelligence is gathered and vetted • How to use the threat data provided by OTX free services • Examples of the types of threats you can identify with OTX • Best practices to investigate and mitigate threats, including a quick tour of AlienVault Unified Security Management (USM)
    3. 3. At the heart of OTX is the world’s largest, crowd-sourced repository for threat data. WHAT IS THE OPEN THREAT EXCHANGE • An open information sharing and analysis network • Provides access to real-time, detailed information about threats and incidents around the world • Enables security professionals to share threat data and benefit from data shared by others
    4. 4. HOW DOES THE ALIENVAULT OTX WORK? VALIDATION ENGINE ALIENVAULT LABS MALWARE ANALYSIS SANDBOX EXTERNAL FEEDS WEB CRAWLER ALIENVAULT OSSIM USM SITES OTX
    5. 5. CROWD-SOURCED THREAT DATA SOURCES Validation Engine AlienVault Labs Malware Analysis Sandbox External Feeds Web Crawler OSSIM USM OTX • 17,000 Contributions a day • 140+ Countries • Threat data from • Built-in IDS Signatures • Normalized Event Logs • Firewalls • Content Filters • IPS/IDS • Proxies • Network devices • Web Servers • Other
    6. 6. SECURITY RESEARCH COMMUNITY SHARED DATA Validation Engine AlienVault Labs Malware Analysis Sandbox External Feeds Web Crawler OSSIM USM OTX • 50+ external threat sources • IP Addresses • Domain Names • URLS • Malware Samples
    7. 7. URL & MALWARE ANALYSIS Validation Engine AlienVault Labs Malware Analysis Sandbox External Feeds Web Crawler OSSIM USM OTX • 500,000 samples analyzed per day • Analysis generates • Threat data • Additional samples • URL’s • Domain names
    8. 8. THREAT TYPES DETECTED Scanning Host Host observed scanning or probing remote systems Spamming Host Host used to propagate or distribute spam Malware IP Host observed propagating malware, including malicious redirection Command and Control Host confirmed to be sending command and control instructions to malware as part of a botnet or APT attack Malware Domain Host confirmed to be distributing malware or hosting exploit code Malicious Host Host observed participating in an activity that does not fall into the other categories (web attacks, known exploits)
    9. 9. THREAT DATA VERIFICATION PROCESS Scoring & Validation  Confirmation by other sources  Voting based on known abuse patterns  Dynamic DNS  Residential Hosting Providers  Bulk Domains  Heuristic Patterns  Other  White-listing known sources of false positives  AWS  Microsoft Update  File Sharing  Other Expiration  Contributed data – expires after 30 days  Scanning – expires after 30 days without additional evidence  Malware – validate ongoing hosting  Web-based threats – confirm ongoing activity
    10. 10. OTX THREAT DATA PRODUCED  Updates provided every 30 minutes  200,000-350,000 validated malicious IP’s at any point 122.225.118.219 # Scanning Host CN,Hangzhou,30.2936000824,120.161399841 122.225.118.66 # Scanning Host CN,Hangzhou,30.2936000824,120.161399841 188.138.100.156 # Malware IP;Scanning Host DE,,51.0,9.0 211.87.176.197 # Scanning Host CN,,35.0,105.0 95.163.107.201 # Spamming RU,,60.0,100.0 188.138.110.48 # Malicious Host;Scanning Host DE,,51.0,9.0 72.167.131.220 # Malware IP US,Scottsdale,33.6119003296,-111.890602112 174.120.172.125 # Malware IP US,Houston,29.7523002625,-95.3669967651 210.148.165.67 # Malware IP JP,,36.0,138.0 75.75.253.84 # Spamming US,Henderson,36.0312004089,-115.073898315
    11. 11. OTX IN ACTION OTX ThreatFinder Free service to analyze log files for threats Unified Security Management (USM) All-in-one platform to simplify threat detection and compliance
    12. 12. ALIENVAULT THREATFINDER – FURTHER INVESTIGATION 1. Look at the AlienVault threat details page - what type of threat is it? • A suspected exploit-kit serving website is more concerning than a scanning host 2. Has the activity reported stopped or is it ongoing? 3. Check the comments section and discuss your investigation with the community 4. Dig into your environment and see if you can draw any conclusions about the host affected • Is it a workstation or server that the alert is associated with? • If it’s a server, is there a legitimate reason that it would be communicating with the external threat? • If it’s a workstation, is the user reporting any unusual issues with their system? 5. If you have Intrusion Detection/Prevention System(s), search the alerts for the malicious IP 6. Query your SIEM or log management system, etc. 7. If you conduct security investigations without the help of any tools at all, you might try: • Searching network device logs for indications of prolonged activity with the external threat • Searching system logs for indications of suspicious activity originating from the asset
    13. 13. WHAT TO DO WHEN YOU GET A FALSE POSITIVE? Within AlienVault: FLAG IP FOR REVIEW Provide any evidence of a false positive that you can. It will be sent to the security research team for review.
    14. 14. NOW FOR SOME Q&A… Join OTX Free ThreatFinder http://www.alienvault.com/open-threat-exchange/threatfinder Free Reputation Monitor http://www.alienvault.com/open-threat-exchange/reputation-monitor Test Drive AlienVault USM Download a Free 30-Day Trial http://www.alienvault.com/free-trial Try our Interactive Demo Site http://www.alienvault.com/live-demo-site

    ×