In this post, we’re going to be describing and getting an understanding of indicators of compromise. As the name suggests, an indicator of compromise, or an IoC, gives you an indication of when an attack or some kind of malicious activity has taken place. IoC is the technical data that is used in a tactical threat intelligence situation. It can also give you forensic evidence of any malicious activity, and it constitutes one of the key intelligence inputs for threat intelligence analysis.
Source Of Indicator Of Compromise (IoC):
Indicators of compromise can come from many sources, and they fall into the two categories of external agencies or internal sources.
The external agencies may be commercial or industry sources or free IoC sources you can get online, such as the IOC bucket and the MISP. For example. Examples of commercial or industry‑based IoC sources include your antivirus or antimalware vendors, and all of these will have a large library or collection of IoCs which are used. Some of the key free IoC sources available to us include the Malware Information Sharing Platform or MISP, and we’ve already discussed the AlienVault OTX, which is a great resource across many different areas. We also have a dedicated IOC Bucket, which also allows you to create your own IoCs and share them across the community. And then the Blueliv Threat Exchange Network is another great example of a free IoC source available.
There are several different ways that we can collect the logs and events that allow us to analyze and indeed spot the IoCs. And these may come from commercially available systems, some free-to-use systems. Such as internal logs and event viewers. Some of the key ones would include unusual outbound network traffic and geographical anomalies. Examples of this would be your account users who are logging on from foreign locations or conducting some form of risky signed‑in activity. You may also spot as an IoC multiple login failures, once again, looking at a potential attack that may be mounted against one of your user accounts. You can also spot anomalies in traffic, such as an increase in database read volume or HTML response sized anomalies, unusual DNS requests, and suspicious file and registry changes.
How To Collect, Build, Share, And Manage IoCs?
However, it is not exhaustive, which is why it’s very important to conduct baseline monitoring before you get to know your network, and then it’s far easier to spot unusual traffic or anything that constitutes an anomaly. You can build your own custom IoCs, and as an analyst, you can build this based on your own particular patterns or observations of your internal network. This can be built using the OpenIOC framework, which uses an extensible XML schema for scanning hosts.
The great thing about this is that once it’s in place, you can also share this between the organizations, and there are some great online tools that will assist you in this. These include the IOC Editor, the IOC Bucket, once again, and ioc_writer. The indicators of compromise themselves will provide you with vital intelligence that can predict future threats and attacks and, of course, may also be very effective against a live system or network. When it comes to effectively using IoC data, you need to be able to define first and foremost the objectives of using the IoCs in your defense strategy. You can then identify the relevant and important IoCs from the resources that are available to you.
Types Of Indicators Of Compromise:
IoCs are split into two main categories:
Network-based indicators. These refer to everything related to network connectivity. The URL to a website is a malicious indicator. A domain can also be considered an Indicator of Compromise. An infection scenario might include that all requests made for a certain domain will get redirected to a malicious website. IP addresses can be used as alternatives to URLs. For example, they can be embedded inside malicious scripts to be used to download second-stage malware.Examples:
- IP address
The second important category is host-based indicators, these artifacts that can be found on a computer system itself. A simple example would be the file name. Think about the computer virus that logs information about the host it infects in a specific file. That name would be considered an indicator. Second, the file path is also important. Windows-type malware uses specific locations in order to be auto-executed even after the computer restarts. A special breed of indicators are file hashes. These help us uniquely identify files based on their contents.Examples:
- File Name
- File Fingerprint or Hash
- File Extension
- File Location
Account information could also be considered as an indicator. For example, logging in from different systems or locations using the same account could create suspicions.Example:
- Account Name
- Login Time
- Account Privileges
- Account Activity Logs
- Account Location
It is important to identify the relevant and important IoCs from the resources that are available to you. You can also use the IoCs to identify any pivot points from the IoC data itself, and this could then identify vulnerable areas of your systems and networks. You can also use analytical tools to visualize the IoCs, and this is a great way to analyze and report. As with all reporting, it’s very important to know who your target audience and your leadership is going to be, and so you’ll need to determine the technical level and the level of dissemination for your particular report. And from a reporting side of things, there are several areas that we will be concerned with, the quality of your report and the curation of your report, to whom is it going, and also, we would need to consider the velocity and volume, the speed at which you are reporting and how much information you need to put in for your target audience.