Threat intelligence is all the rage at the moment with security companies as it has the opportunity to speed up the awareness and fixing of security issues.
The latest company to upgrade its Threat Intelligence network is AlienVault who has released the latest version of its Open Threat Exchange (OTX) solution. Like all the Threat Intelligence solutions in the market it relies on the use of an information and social media-like network.
OTX has been in beta since 2015 and feeds data into AlienVault’s Unified Security Management (USM) platform. One of the things that has potentially delayed the launch of this new version of OTX has been the need for AlienVault to address a number of vulnerabilities in its USM platform identified by security researcher Peter Lapp. This work has now been done and OTX is now available.
Barmak Meftah, president and CEO of AlienVault said: “We created the Open Threat Exchange on a core belief of strength in numbers. It has been shown time and time again, that if we work together as a community and freely share threat information and resources we can identify attacks sooner and react quicker, before they become devastating breaches. A collaborative defense is the only way to get ahead of the attackers. Security wins when we go on the offensive.”
How does OTX work?
According to the press release there are three key elements for participants in the AlienVault OTX community:
- Create + Share Pulses: Users who observe suspicious or malicious behavior are able to create a pulse or add additional IoCs onto an existing pulse. This transforms threat data from one-way communication (e.g., from a vendor’s research team to subscribers) to open two-way communication. This also allows for community-based validation of a user’s findings where participants can also up-vote and comment on individual pulses to help others identify useful threat data.
- Subscribe + Follow Pulses: Users can automatically instrument their security defenses based on pulses produced by specific users or pulses relating to specific threats, saving time and ensuring their security controls are up to date against the threats they care most about.
- Export + Integrate Pulses: With the new AlienVault DirectConnect API, users can automatically download threat data and IoCs from OTX and integrate them into their existing security infrastructure using open standards such as STIX, OpenIoC and CSV. For AlienVault customers, data from OTX is automatically instrumented into the AlienVault USM platform.
How do Threat Intelligence networks work?
A user sees a phishing email arrive in their inbox. They mark it as suspicious and then post a message about it in the Threat Intelligence forums. Other users see the post and can then add more information such as what type of malware does it contain or what websites does it attempt to redirect users to.
Some users might choose to publish information about how to clean infected machines when users have clicked on the email or opened any attachments it contains. Very quickly, the spread of the email can be mapped and security researchers can use that data to track where it is coming from and how to block it.
That information can then be used by security teams to protect companies and by security companies such as AlienVault to improve the level of cybersecurity protection inside a business.
Moving beyond vendor solutions to industry standards
One of the challenges for the Threat Intelligence community has been how to gather the widest possible set of data. This is where industry standards such as the Structured Threat Information Exchange (STIX) and the Trusted Automated Exchange of Indicator Information (TAXII).
Both standards allow vendors to contribute to the wider information stream from their own user networks. At the same time, they can download and integrate information from elsewhere providing a richer set of information to help both customers and security teams track and respond to emerging threats.
AlienVault has announced its support for STIX but at the moment has yet to decide whether to support TAXII. Is has said that this is something it plans to change in the near future.
Conclusion
Threat Intelligence is beginning to come into its own as vendors share information and collaborate to get a wider view of what is happening. As the battle against cyber threats gets more complex and the threat landscape continues to evolve, any advantage that end users can get is to be welcomed.
It will be interesting to see how many large organisations begin to deploy Threat Intelligence resources into their supply and customer chains. These are often seen as the weak link and an easy attack point by cybercriminals looking to infiltrate large enterprises and government departments.
Using Threat Intelligence to gather information and provide warnings around emerging threats to that soft underbelly of eCommerce is something that should figure in every companies business risk assessment.
