70% of successful security breaches start on endpoint devices, according to IDC.1 Yet, security practitioners haven’t had an effective or low-cost way to hunt for threats against critical endpoints. Until now.
Today, I am excited to announce a new free service for endpoint threat scanning—OTX Endpoint Security™.
OTX Endpoint Security is a free threat-scanning service in Open Threat Exchange that allows you to detect malware and other threats on your critical endpoints using OTX threat intelligence. This means that you can now harness the world’s largest open threat intelligence community to assess your endpoints against real-world attacks on demand or as new attacks appear in the wild—all. for. free.
Powered by the AlienVault Agent, based on Osquery, OTX Endpoint Security scans your endpoints for the presence of known IoCs, alerting you to any active threats. This free service is the first of its kind to natively take advantage of the over 19 million IoCs contributed to OTX daily by a global community of 80,000 security researchers and practitioners.
Why did we decide to pack all of that threat intelligence power into an endpoint-focused threat hunting service? Well, until now, security practitioners have had limited options to help them hunt for threats on endpoints: either procure an expensive endpoint threat detection and response (EDR) solution or take a DIY route with an open-source agent.
As an alternative, OTX Endpoint Security uses the same agent-based approach as expensive endpoint security tools, giving you threat visibility of your critical endpoints without the cost and complexity of introducing yet another security tool to your stack. With a DIY approach, it can be difficult to deploy an open-source tool, to know what to query, and to correlate this information with the latest threat data. OTX Endpoint Security removes this complexity and guesswork while providing a free security service available to all.
How OTX Endpoint Security Works
We’ve made it fast and simple to get started with OTX Endpoint Security. With its direct integration in OTX, you can get started with OTX Endpoint Security without the use of other security tools, so there’s no integration required. Here’s how:
- If you haven’t already, register with the Open Threat Exchange (OTX). It’s free to join.
- Download and install the AlienVault Agent on the Windows or Linux devices* you want to monitor. The AlienVault Agent is immediately ready to find threats.
- Launch a query on any endpoint from OTX by selecting a pre-defined query that looks for IOCs in one or more OTX pulses.
- The AlienVault Agent executes the query, and within moments you can view the results of the query display across all your endpoints on a summary page within OTX.
Threat Hunting Scenarios
Let’s look at few threat hunting scenarios that you can perform with OTX Endpoint Security.
1.Identify whether your endpoints have been compromised in a major malware attack.
Maybe you’ve faced this scenario. The mainstream media outlets are breaking news of a global attack on the rise, taking down businesses and critical infrastructure in droves. Your C-suite urgently wants to know whether the organization is at risk. Do you have the resources and technologies in place to readily hunt for indicators of compromise across your environment, including your endpoints? Do you know which IoCs to hunt for and where to source them? Twitter? Security blogs? That kind of emerging threat research takes time, and your C-suite is waiting.
With OTX Endpoint Security, you can immediately leverage the emerging threat intelligence in OTX to scan your endpoints. Because OTX participants share threat artifacts quickly—in some cases, within minutes of initial discovery in the wild—you can be assured of up-to-date threat data to detect the threat, without having to spend time researching it.
In this example, I want to check whether my endpoints have been infected with the recently discovered GoScanSSH malware family that targets Linux systems.
From the dropdown menu, I select “Scan by Pulse.” In OTX, a pulse is a collection of IoCs for a specific threat or threat family.
I enter the search term, “GoScanSSH.” This returns all OTX pulses related to that threat. I select the pulses against which I want to scan.
I select “Run with selected pulses.” This triggers the AlienVault Agents that are installed on my endpoints to query the endpoints against the IOCs catalogued in the pulses I selected.
Once the scan is complete, I can see the number of endpoints with matching IOCs. I can also drill down for more information about the matches and find out exactly which IOCs were detected on which endpoint. From here, I know which endpoints have been infected by GoScanSSH and require intervention.
2.Assess the threat posture of your critical endpoints.
In addition to scanning for a single threat or malware family, it can be extremely useful to scan all your endpoints against multiple pulses at once. With OTX Endpoint Security, you can scan against pulses as well as YARA rules in multiple ways:
- Scan all AlienVault-contributed Pulses
- Scan by all AlienVault-contributed YARA Rules (Linux only)
- Scan by all pulses you subscribe to (all pulses updated in the last 7 days)
- Scan by all pulses you subscribe to (all pulses updated in the last 30 days)
AlienVault Pulses are pulses that the AlienVault Labs Security Research Team curates in the OTX. This team of seasoned security researchers (our own threat hunters) use a wide collection of machine learning and human intelligence capabilities to validate the threat data in OTX as well as other sources. A scan against all AlienVault-contributed Pulses can provide an overall picture of the state of security of your critical endpoints.
In this example, I want to scan my endpoints against all AlienVault-contributed Pulses. I select “Scan all AlienVault-contributed Pulses” from the dropdown menu.
This scan returns the following results.
3.Query your endpoints for other suspicious activities.
In addition to detecting the presence of IOCs on your endpoints, OTX Endpoint Security has pre-built queries to detect other potentially malicious or out-of-policy activities on endpoints. These include:
- Scan for processes running without a binary on disk
- Why it’s useful: This allows you to identify processes that are running in memory, where the actual binaries have been deleted from the disk. This is a common tactic used in some malware in order to evade detection by file integrity monitoring (FIM) and anti-virus tools.
- Scan for crypto-mining activity
- Why it’s useful: Some malware, once installed, consumes endpoint resources to perform crypto-mining activities that run in the background. This type of malware has become extremely popular attack of late, particularly given the rising value and accessibility of cryptocurrency, and a resulting interest from malicious actors, including state-sponsored and crime syndicates.
- Scan for installed malicious / annoying Chrome extensions
- Why it’s useful: Some Chrome browser extensions that seemingly offer value or amusement for end users may expose the endpoint to threats or be out of compliance with corporate IT policy. For example, the nCage extension replaces every image on the page with a picture of Nicholas Cage. Funny, yet unlikely to be sanctioned IT policy.
About the New AlienVault Agent
OTX Endpoint Security is powered by the AlienVault Agent—a lightweight and adaptable endpoint agent based on osquery. The AlienVault Agent is simple and fast to install on Windows and Linux hosts and endpoints and has a small footprint. With the AlienVault Agent, you can get to endpoint security insights quickly, without the cost and complexity of a traditional endpoint security solution.
We are currently inviting USM Anywhere customers to request early access to USM Anywhere’s new endpoint monitoring capability using the AlienVault Agent. With this new feature, you can monitor your endpoints directly within the USM Anywhere interface, without implementing a third-party tool.
Customers can submit their request to join the Early Access program through the ‘Request Early Access’ button within USM Anywhere, which can be found by clicking on ‘Agents’ under the new ‘Data Sources’ menu item.
1 Effective Incident Detection and Investigation Saves Money, IDC, 2016