How to use AlienVault Open Threat Exchange for IoC
It been a while, work has been hectic at my end. From my last post titled “Pyramid of Pain: A Slippery Path in Threat Intelligence/Hunting”, I promised to write on how to use Open Threat Exchange for collection of IoCs.
Open Threat Exchange is the neighborhood watch of the global intelligence community. It enables private companies, independent security researchers, and government agencies to openly collaborate and share the latest information about emerging threats, attack methods, and malicious actors, promoting greater security across the entire community. You need to register with active email address to use this platform.
After successful registration and sign in, you will be directed to dashboard that contain Pulses. What is Pulses? Pulses are summary of a threat, it contain detail information about the indicator of compromise attached to the threat.
On top of the pulses is “Mustang Panda new malware deployment” which was created 4 days ago and by the right hand side, you can see I have subscribed to this pulse, which have over 186k subscribers, if you have not subscribed to before, you can subscribe to different pulse of interest.
Beside the dashboard is Browse Tab that houses different sub tabs that contain different information. Pulses, Users, Groups, Indicators, Malware Families, Industries and Adversaries
Pulses as explained earlier contain summary of threats and associated IoCs. You can choose any of this to expand. For this tutorial, I will expand Webscanners 2018–02–09 thru current day. The threat which was created 4 years ago but modified 4 minutes ago as at the end of writing is a threat against web application and can aid endpoint security by scanning this particular threat with the provided IoCs (majorly IP addresses). This particular pulse is attributed to different groups like Bad Bots, Cloud security, MISP etc. You can download this pulse by clicking on the download button at the top right corner of the page.
Users Tab contain the list of users that submitted pulses in ascending order.
Group Tab contains pulses based on different attack groups such as ransomware, advance persistent groups, blue team intelligence to mention but few. Each of this can be explore to find more information
Indicators Tab contain different indicator of compromise in 2 big categroy of Types (CVE, filehash, domain name etc) or Role (adware, backdoor, bruteforce etc).Each category can be search for alternatively for optimum result.
Malware Families tab: need to gather more intelligence on a particular malware, This is the best tab to get it. It categorizes malware based on families
Industries Tab: It is of good, ethical and healthy practice that a threat hunter hunts in her industry sector to avoid distraction and stress. This particular tab gives the right information about threat based on industry sector from aerospace to military to agriculture , education to mention but few.
Adversaries Tab: trailing a particular threat actor, the adversaries tab is the best place to gather direct, concise information about each of the listed threat actors.
You will agree with me that AlienVault OTX is a blessing to the threat hunting community. They make live easy. There are other IoCs provided such as file hash, Yara rules, Domain name to mention but few provided by AlienVault.