Monday, December 7, 2015

AlienVault Open Threat eXchange Platform

Indicator Sharing

I am currently working on a ISAC and one of the nice things about an ISAC is that the organizations involved can share information about the attacks they encounter. I've been trying out AlienVault OTX during the month as a platform for public indicator sharing.

The reason why I did not set up my own platform , like a MISP instance, is that the ISAC right now needs to focus on building trust between the parties involved. The OTX allows me to demonstrate the value of indicator sharing in a very simple way.

The AlienVault OTX Platform

As a test case I decided to go with something everybody can experience when connected to the Internet, SSH scans. By experience I know that there are regular scans and the classic ports are TCP/22 and TCP/2222.

There are two ways to interact with the platform, either through the API or the web interface. I chose the latter since I wanted to know if the platform is actually usable for small organizations with a limited amount of resources and knowledge about programming against an API. I must say I was amazed about how easy the good people of AlienVault made it.

When you open the platform you get a dashboard that looks like this:

 

Creating a new pulse

When you want to share information you create a pulse. You can either create one from a copy-paste or manually create the indicators.

 

The exctractor parses the values you paste and tries to detect what the data types are for the submitted data. Since I have only submitted IPv4 indicators I can't say I really tested it but except for one IP it was always spot on. The reason why it asked me to verify that IPv4 address is because it actually looks like a software version number.




When you create an indicator manually you select the type (IPv4,  domain, URL, FileHash-MD5, ...) and enter the value in the indicator field. This works more slowly but is of course more accurate. I tried to do things like double submits in a same pulse and indicate no type but it gently points out the error.

Sharing The Data

Once you have submitted your data the platform asks you how you want to share it.


You can set a TLP label to indicate how the data should be handled and if the data is public or private. I have only published public TLP Green data. One of the things missing I think is that you can't create groups between whom you can share your data.

The tags are handy since you can immediately create context to it. The data I've submitted for example is all SSH traffic so I tagged it with SSH.




You can also add references to a pulse, I haven't used since I credited my external sources in the description, which according to me is a rather logical thing to do.

The Indicator Summary

After you've submitted your pulse a summary is generated.



The first part of the summary is a handy abstract of the number of related pulses it found in the database, the number of indicators, the classification and how many people are subscribed to it.

A fun part for management is the country attribution but as we know a computer in China might be hacked by a Belgian who first connected to another system in Brazil. It doesn't indicate where the bad guy is, it just indicates where the connection comes from according to the GeoIP database of AlienVault.

The next part of the page are the indicators of compromise you just entered. But the last part is the interesting part.



The related pulses are the pulses already in the system that share some of the indicators. What I would have liked is to see how many indicators are shared. When you click on the pulse you get the actual pulse. It would have been nice if it indicated what the shared and non-shared indicators are but it is unfortunately not the case.

 

Data Quality

The worth of a system is as always the quality of the data you put into it. I've been a DBA in the past and quite often people where complaining about the CRM database containing "low quality" data. The irony was of course that usually they were the ones that had inputted it in the first place.

 

Public Data is Public

To give you a good idea of the data submitted you can actually see the public data without an account.

 

Dashboards

AlienVault is a commercial company and thus they need to do some marketing. One of the nice things to show to convince people about sharing data are the public dashboards:

 

Reputation Monitor

As an incident responder it is part of the job but it remains a painful experience when somebody has to tell you that you are compromised. One of the resulting free services of the OTX platform is the reputation monitor where you can indicate what your IP addresses and domains are so OTX can notify you when it got some bad news for you.

Account Issues

In the beginning of November I had some issues with my account but with the help of Bill Smartt these issues were dealt with.

Conclusion

Although I have points of critic and I haven't shared them with AlienVault yet, I must say I am rather impressed by the platform. I will try to play with the API in the near future and do a follow up post when I am done.

My ex-colleague Koen Van Impe has written a nice piece on MISP and IBM's X-Force Exchange. If you are interested in the topic, definitely have a look at his guest post on the securityintelligence blog.

I just want to point out one last thing, data remains data, only you can provide the operational environment context and thus use the data coming from these platforms wisely.

If you are looking for the IOC's I publish you can find them at https://otx.alienvault.com/erik/