In this video, Javvad Malik, Security Advocate at AlienVault speaks with Dan Raywood around threat intelligence and threat sharing. In particular, the role AlienVault Open Threat Exchange is playing in helping organisations stay on top of and protect themselves from emerging threats.
DAN: Hi, I am Dan Raywood from Infosecurity Magazine here at Infosecurity Europe with Javvad Malik, who is a security advocate at AlienVault. Javvad, Open Threat Exchange (OTX) at AlienVault is a major offering from your company. What is it? What is it all about?
JAVVAD: Think of it like a social media, like Twitter, but for threats. So you sign on and you can post information about threats you see, you put all the IOCs all together into what we call a “pulse.” You can choose to follow other people on it. So if you are on there contributing threats, I can say Dan knows what he is talking about, I follow what he says, and I can download all the indicators that you share and I can import them into my own system. So it is a community-based platform where people can share information about threats and they learn from each other and leverage the skills that are out there.
DAN: Okay, so a peer open platform, then. Threat intelligence gets a bit of a bad name for being a little bit of a fad. Here is a question. Can it really be determined to be threat intelligence if it is open because surely all of the bad guys know what everyone knows about them now.
JAVVAD: First off, bad guys are the ones attacking, so they know what vectors they utilize and utilize these themselves. Secondly, it is like that trusted model where you are sharing what you see. You are not sharing any of your personal information. You are just saying, “Hey, we are seeing attack vectors coming in from here.” The indicators go from a range of areas which can be changed or not. So things like IP addresses, you can change them, and that's not going to last for long, anyway. It is very temporary, but when you go into behaviors, methods, and actually profiling the threat actors behind it, those things are a lot harder for attackers to change, even if they know about it.
DAN: Is it like an open-source market whereby people are actually correcting things and updating things and actually saying, “Is something alive,” and is actually not a threat?
JAVVAD: When you submit something, the community can then contribute towards that. They can vote it up or down, for example, or they can put in a submission and say that this is no longer active or what have you. So through that you build up a bit of a reputation as well. So your profile on there based on the number of followers you have, based on the number of pulses you publish, based on the number of up votes and down votes you get, you get a very good idea of what the reputation of who is publishing and the quality of the data that they are publishing. People who are publishing constantly with lots of noise or stuff that is not very useful, they get down voted, so they end up with less followers and less visibility.
DAN: Okay. Is it time we remove the words “threat” and “intelligence” to be understanding what the threats are so the intelligence is actually something we can operate with?
JAVVAD: Well, we like the term threat intelligence as the information about the malicious actors, their tools, methods, and infrastructure. So putting all of that together may give you threat intelligence. Simply having threats or indicators on their own isn't intelligence, they are just a list of threats. I think you are right. There needs to be an understanding when it is something like just a list of threats. It is just like having a list of vulnerabilities, which aren't threats. Knowing that is one thing, but actually understanding how they apply to your environment and knowing what you can do to prevent against it or whether even it applies to you, that's where the threat intelligence comes into it.
DAN: So the intelligence should be quite operational as well. It should be something that you can actually work with and say this is actually what means something to me.
JAVVAD: You have the operational side, the tactical side, you have the general awareness of operators. You gain them from lots of different sources. You can't just rely on one source and say, “This is the only feed, this is the only source of information I am going to consume” because the threat actors change constantly and you need to be aware of that.
DAN: Alright Javvad, thank you very much for your time today.