Beyond the Home page, the OTX user interface provides two other methods of browsing and searching threat information submitted by the OTX community:
Search ( ) — Available from the OTX Home page, lets you search for a text string included anywhere in pulse information, from the name and summary description, to fields and keywords.
Browse ( ) — lets you browse the OTX activity feed, choosing to view information by different categories: pulses, users, groups, or indicators of compromiseAn artifact observed with some degree of confidence to be an indication of a threat or intrusion.. Within the display of results for information arranged by each of these categories, you can also perform a search, to further narrow the results that OTX displays of pulses, users, groups, or indicators.
You can search for pulses from the Home page simply by entering a text search string in the Search field in the main menu bar, and then clicking the Search ( ) icon. OTX displays all pulses where the search text string you entered matches the name, description, or some other keyword or text information included in the pulse content.
After performing a search, you can navigate through the results, and view the detail of a pulse, just like you would from the normal Home page display.
When you select the Browse ( ) menu option, by default, the OTX user interface displays a chronological listing of pulses (latest on top), similar to the Home page. However, unlike the Home page, the Browse option displays all pulses (new, subscribed, and unsubscribed), not just those to which you’ve already subscribed.
Also different from the Home page, the left-side panel for the Browse display provides selections to view different aspects of OTX threat information, that is, pulses (the default), users, groups, and indicators:
Displays all available pulses, in chronological order (latest to earliest). Include existing, new, subscribed, and unsubscribed pulses.
Displays summary information for every OTX member, in alphabetical order.
|Groups||Displays a summary listing of all defined OTX groups, in alphabetical order.|
|Indicators||Displays a summary listing of indicators of compromise, in alphabetical order.|
From the result set displayed for different types of OTX information, you can browse through and click on individual items in the list, and also drill down to view additional detail (when it is available).
Within each result set, you can also narrow down the items displayed by entering a search text string in the Search field and clicking the Search ( ) button. The OTX user interface updates the results display to show only those items that include the search string text you specified. In addition, OTX updates the value displayed in the left side panel to show the number of items returned in the search results.
You can search by a number of fields within pulses. In the created and modified fields, search criteria is specified in the format <number ymd. For example, <1w would search all pulses within the last week.
When you select the Indicators option in the left-side panel (for the Browse menu selection), the OTX user interface displays an additional set of menu options to specify the Type of Indicator. Clicking on any of the options restricts the display of indicators to only include those of a specified type, for example, Domain.
As previously mentioned, an Indicator of Compromise (IOC) is an artifact observed on a network or in an end point, judged with a high degree of confidence to be a threat vector. The following table lists a number of different IOC types that are commonly associated with pulses.
Classless inter-domain routing. Specifies a range of IP addresses on a network that is suspected of malicious activity or attack.
|CVEThe CVE system provides a method, using CVE IDs, to reference publicly known information security vulnerability and exposures in publicly released software packages and environments.||
Standards group identification of Common Vulnerabilities and Exposures (CVEs).
|domain||A domain name for a website or server suspected of hosting or engaging in malicious activity. Domains may also encompass a series of hostnames.|
|An email address associated with malicious activity.|
|FileHash (MD5, SHA1, SHA256, PEHASH, IMPHASH)||A hash computationA one direction checksum value produced to uniquely represent and identify text. The result of a hash function can be used to validate if a file has been altered, without having to compare the files to each other. Frequently used hash functions are MD5 and SHA1. for a file that can be used to determine whether contents of a file may have been altered or corrupted.|
|filepath||Unique location in a file system of a resource suspected of malicious activity.|
The hostname for a server located within a domain, suspected of malicious activity.
|IPv4, IPv6IPv4 is the most commonly used Internet Protocol, despite the fairly limited number of IP addresses it can support (2^32). An IPv4 address is written as a series of four numbers separated by periods, for example, 126.96.36.199. IPv6, the latest version of the Internet Protocol (IP), is notable in that it expanded the available address space to a length of 128 bits compared to 32 bits in IPv4. IPv6 addresses are represented as eight groups of four digits separated by colons||An IP address used as the source/destination for an online server or other device suspected of malicious activity.|
|Mutex||Mutual exclusion object allowing multiple program threads to share the same resource. Mutexes are often used by malware as a mechanism to detect whether a system has already been infected.|
|URI||A uniform resource identifier (URI) that describes the explicit path to a file hosted online, which is suspected of malicious activity.|
|URL||Uniform resource locations (URLs) that summarizes the online location of a file or resource associated with suspected malicious activity.|
Note: A file hash is an indicator of compromise commonly used in identifying malwareGeneric term for a number of different types of malicious code including viruses, worms, and Trojans. such as viruses, trojans, ransomware, or other types of malicious software.
OTX IP Reputation Data
As part of the information that OTX collects on OTX pulses and the Indicators of Compromise they contain, OTX maintains an IP Reputation threat indicator, which is based on its ranking criteria of IP reliability and priority. OTX identifies IP addresses and domains worldwide that are submitted by the OTX community and verifies them as either malicious or, at least, suspicious until more data comes in to increase their threat ranking. Through its incoming IP data from all of these sources, IP Reputation supplements OTX data with valuable data about actively or potentially malicious activity appearing worldwide that could affect your own environment.
IP Reputation Data Sources
IP Reputation receives data from a variety of sources, including the following:
- Information security research forums
- Open-source intelligence — Public and private security research organizations.
- USM Appliance and AlienVault OSSIM deployments — Consists of users who have voluntarily agreed to anonymously share information about external traffic into their network with OTX.
AlienVault ensures that none of the data shared with OTX can be traced to the contributor, their USM Appliance, or AlienVault OSSIM instance.
USM Appliance Access to IP Reputation Data
USM Appliance installations receive the benefit of IP Reputation data whether or not they sign up for an OTX account. However, AlienVault OSSIM users must explicitly subscribe to OTX to have access to IP Reputation data.
When you open an OTX account for integration with USM Appliance, you may elect to share IP Reputation data with OTX, or opt out. Any data you contribute is anonymous and secure.
Note: You can configure USM Appliance to stop sharing IP Reputation data with OTX at any time by choosing that option from USM Appliance Open Threat Exchange Configuration page.
IP Reputation Ranking Criteria
IP Reputation provides a threat ranking based on IP Reliability and IP Priority values that OTX updates on an ongoing basis to calculate changing assessments to risk level.
IP Reputation data derives from many data sources of differing reliability. Ranking in this case is based on the relative number of reports regarding a malicious IP in relation to others reported. If, for example, OTX receives 10 reports on a given IP address versus 20 on another, it gives the IP with 10 reports a lower reliability ranking than the IP with 20 reports.
OTX ranks IP address priority based on the behavior associated with each IP address listed. For example, an IP address used as a scanning host receives a lower priority than an IP address known to have been used as a botnet server.
Ongoing Ranking Reassessment
OTX constantly updates its IP Reputation data as new information emerges affecting IP reliability or priority criteria. Each update reprioritizes IP reliability and priority values and the threat level of an IP, accordingly.