Reference no: EM133781163

Advanced Cyber Threat Intelligence Report

Alien Vault OTX Exercise

Overview:
In the exercise you will conduct some specific activities using the Alien Vault OTX tool. After completion, you will be comfortable navigating the tool and identifying popular indicators of compromise (IOCs) and locations of attacks.

Prerequisite:
Before completing this exercise, be sure you have registered for an Alien Vault OTX account and
completed the Using your Alien Vault OTX account.

Steps:
Login to your Alien Vault OTX account and then navigate to the dashboard and other components of the menu to answer these questions. Use the Project 1 reporting template record your results. Note, your results will most likely be different from other students when you conduct your queries.

What is the name, category, count, and feature count of the malware with largest circle in the dashboard view? The following would be a representative response.

Trojan: Win64/CoinMiner Category: Bitcoin miner Count: 3849
Feature Count: 25

Pick one of the related pulses for the malware you selected and list the ID of the pulse, the total number of IOCS and type and count for each. Also, provide a screenshot of the results. For example, the following would be a representative response.

ID of pulse: 64cb64265542bbab78017e6f

IOC Count

IPv4 1
URL 108
FileHash-SHA256 20
Hostname 20
Filename 20
Total 169

For the same pulse you selected in part b, show the threat infrastructure screenshot along with the ID of pulse, and a table with the specific breakdown of counts for each country. The following would be a representative response.

ID of pulse: 64cb64265542bbab78017e6f

Country Count
United States 14
France 10
Netherlands 1
Canada 1

Use the Browse->Indicators tab to provide a count for the IPv4 and IPv6 IOCs. In your response provide the exact count of IPv4 and IPv6 IOCs at the time of your query. Which count is larger between the IPv4 and IPv6? Explain why one has significantly more counts than the other. The following would be a representative response. Your response will most likely be different.
IPv4 count: 4,975,835
IPv6 count: 14,570
The IPv4 count is significantly higher most likely due to ...

Use the Browse->Indicators tab to search the role of Ransomware. What IOC type makes up most of the Ransomware IOCs for this query? The following would be a representative response.

The most IOC for ransomware is FileHash-256 with 2,743 results.

Use curl (you may also try one of the programming APIs if you want) to provide answers to the following questions. Be sure to provide the entire curl (or programming) command used to answer the question.

How many pulses has the user MetaDefender contributed? (Hint:
/api/v1/pulses/user/{username}, You will need to use your OTX-API-KEY to retrieve this result.)

What is the slug string for the Bitcoin Address indicator type. (Hint: the API will list the indicator, types, descriptions, slugs and other information)

Have there been any malware samples analyzed by AlienVault Labs which have been observed connecting to microsoft.com? If yes, then list one malware detected and the date of the detection. (Hint: /api/v1/indicators/domain/{domain}/{section}, Use malware for the section).

When does the SSL certificate for mars.umgc.edu expire? (Hint: api/v1/indicators/domain/{domain}/http_scans, Look for "443 Certificate Notafter")

In the Project 1 reporting template, summarize in 2-3 paragraphs, how you would use Alien Vault OTX as part of a cybersecurity program you managed or were part of. Discuss how it might integrate with other development tools and inform and be part of strategic, operational and tactical threat intelligence.

Be sure to Logout of the Alien Vault OTX application.