In order to secure and maintain an IT infrastructure, it is vital to know what is going on in the network that the Endpoint is running on. This means that managers and other stakeholders need to know if something unusual is happening within the corporate network. When we use the word “unusual” we mean any potential threat or suspicious activity that may have happened or is currently happening within the company infrastructure.
Until now, the main service that most security-intelligence businesses could offer us was a subscription alerting us of the latest threats, malware, IPs and URLs with malicious intent; etc. Adding this information to an infrastructure’s perimeter security system has allowed engineers to proactively plan and prepare, and has helped them to detect and prevent any threats their company may otherwise be susceptible to. In the IT industry, these updates are very common and companies will not hesitate to pay a certain amount in exchange for the latest updates offered.
With this service, it’s easy to prevent malware vulnerabilities but can we fully protect our infrastructure? The answer is yes, but the value of these services is high and the lifetime of their deliverables, in general, is very short. So, what can we do to boost our protection?
The next generation in threat detection.
Every day, security analysts piece together different events related to new threats. When it comes to cyber-security, these analysts need a faster way to share information regarding the incident and must have the fastest response time possible. These incidents can be a simple observable (an IP, URL, a hash…), or can be more complex, requiring advanced analysis and reverse engineering. When all of these patterns have been assembled, the result is what we call an Indicator of Compromise (IOC). This may sound foreign to most of us, but security analysts should be familiar with the concept of an IOC and all of its capabilities.
So what exactly is an IOC?
In computer forensics, an IOC is an activity and/or malicious artifact identified on a network or an Endpoint. We can identify these IOCs and can thus improve our abilities to detect a future attack.
Seems simple, right?
If we focus on their use cases, you can be described from a list of indicators to a full incident cybersecurity for analysis, research and/or response and can get answers to ‘What, Who, Why, How, Where and When ‘of the incident. Some of these use cases might be:
- Inbox e-mails with falsified information (phishing)
- Malware behavior patterns
- Discovery of a specific vulnerability and actions to combat it
- The distribution of a list of IPs related to Command and Control
- Discovery of a specific vulnerability and actions to combat it
- Sharing policies and patterns of behavior related to a certain incident (automatically or manually) so they can be exploited by third parties.
We can also use a list of standards to discover the IOC based on its needs (e.g., subsequent detection, characterization or sharing).
This was a brief introduction to IOCs. We will continue to investigate this issue in the articles we publish in the future and our goal is to help security analysts understand more about the following:
- What standards currently exist to help us find IOCs? State of the art, benefits, Use Cases…
- How can we characterize an Indicator of Compromise?
- How are we able to share Indicators of Compromise?
- IOC Accuracy: Quality, life-time…
David Perez
Cyber-Threat Intelligence Security Analyst