Wednesday, 05 August 2015 18:38

Alien Vault is bringing threat intel to the masses with their latest version of Open Threat Exchange

Written by

Reading time is around minutes.

One of the truths in security is that while an attacker can stay hidden they can continue to operate. In short, if you do not know about something, there is nothing you can do. Now you would think that this fact would encourage firms to talk about breaches and hacks more openly, but this is still not the case. One of the things I have seen over the years is that every company operates as an island. They do not share threat information (they might share your private data, but not threat information). This has created an environment where threat actors can continue to maintain attacks even after discovery at a different location. It is also why we tend to see the same threat vectors used over and over again.

The guys (and gals) at Alien Vault are very aware of this and are working to pull those attacks out of the shadows so that threat actors cannot continue to run their campaigns. To do this they use something called the open threat exchange. We saw this platform last year and while it was impressive, it left a lot to be desired from a usability standpoint. In the first instance there was a clunky API that had to be used to in order to get access to the open threat exchange. This meant that you needed to have some coding skill to get things working. Most tools that are too complex to set up are going to be useless to the more common market.
This year, Alien Vault has come out with a new flavor of the open threat exchange and resembles a combination between Twitter and GitHub. The UI is easy and simple to navigate with lists of new and “trending” threats listed. When you drill down on an event you can find other linked references to the attack or suspected attack including threat definitions. You can download these using Styx or OpenIOC1 and 2. It makes the integration of this information into your own systems much simpler. Of course you can subscribe to events if you already use Alien Vault products to keep an eye on things. The UI is very simple to understand and you can comment on the information show. This gives the community the chance to contribute the information and also provides a type of crowd based peer review for the threat information listed. Of course Alien Vault also checks on the data there to make sure that the information is good.

OTX as a platform is all about putting threat data into the hands of the masses. It gives security professionals a chance to get information about breaches out and they can do this without revealing information about their companies. This will help to change the culture or locking down information when breaches happen. It shines a spotlight on the tools, malware and techniques that are being used very quickly. This in turn should allow other companies to setup their defenses to stop future attacks using the same techniques or vectors. The best part of all of this is that it is a free service. You sign up for an account, log in and you can search for threat information or simply follow the pulse of indications of compromise to give you better access to global threat information.

There are many things that need to change about information security, one of the first is culture of silence that is out there when someone gets attacked. We do not need to know all the gory details, but without the information about attack vectors and threat patterns we are never going to take the battle field back from the red team. Perhaps with Alien Vault’s Open Threat Exchange we can start to light up the shadows and talk about what is happening out there.

Read 5429 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.