1. Introduction
Indicators of Compromise or IOC are pieces of forensic data, such as data found in system log entries or files that identify potentially malicious activity on a system or network. Documenting IOC and their associated threats allow the industry to share this information and improve incident response and computer forensics.
The following report answers the questions regarding IOC and its area of application. Then, its utility towards the organizations is discussed. Next, the ways it helps in solving the issues related to the malware attacks are analyzed.
Next, a literature review is conducted. Then the advantages and disadvantages of implementing IoC are demonstrated. An example and case study on the IoC along with the available method other than IoC that can be applied in the organization is discussed. Based on this study, how can the IoC be included in the process of incident response at the organization is also assessed here.
2.1. Defining IoC:
Indicators of compromise (IOCs) are “pieces of forensic data, such as data found in system log entries or files that identify potentially malicious activity on a system or network.” Indicators of compromise aid information security and IT professionals in detecting data breaches, malware infections, or other threat activity (Zapata 2016).
By monitoring for indicators of compromise, organizations can detect attacks and act quickly to prevent breaches from occurring or limit damages by stopping attacks in earlier stages.
2.2. Applicability of IoC:
The IoC can be applicable in different areas, that are categorized according to the type of deployment of IoC. Since understanding what IOCs are being observed can help us to protect our systems and our users in several ways.
|
Methods |
Areas of application |
|
Proactively |
Having the knowledge of what IOCs are out there can help us develop defense methodologies to prevent new malware infections (Rowell 2017). These can be used to create signatures (including YARA, open IOC, AV signatures, and even Behavioral Indicators, which are a type of signature-based detection), set firewall rules, and improve defensive mechanisms, to prevent malware attacks. |
|
Retrospectively |
We can use knowledge of IOCs to deny potential threats the ability to gather any information during the reconnaissance phase of the planned attack. |
|
Incident Response |
Incident responders can use IOC information to aid in threat triage and remediation. IOCs help to identify specific strains of malware, and provide invaluable information for responders. |
|
Application of IoC in companies |
Discussion |
|
Robust agent event collection |
IOC uses the Cloud Agent’s non-intrusive data collection and delta processing techniques to transparently capture endpoint activity information from assets on and off the network that is more performing than query-based approaches or log collectors. |
|
Actionable intelligence for security analysts |
Customers can use pre-defined threat hunting rules and easily import indicators of compromise artifacts into widgets, dashboards, and saved searches to quickly verify threat intelligence, a scale of infections, first-infected asset (“Patient Zero”), and timeline of compromises (Simal 2015). |
|
Highly scalable detection processing |
Threat hunting, suspicious activity detection, and OpenIOC processing is performed in the Cloud Platform on billions of active and past system events, and coupled with threat intelligence data from Malware Labs to identify malware infections (indicators of compromise) and threat actor actions (signs of activity). |
|
Streamline investigations with a single view of asset |
IOC creates a Single View of the Asset, showing threat hunting details unified with other Cloud Apps for hardware and software inventory, vulnerability posture, policy compliance controls, and file integrity monitoring change alerts for on-premise servers, cloud instances, and off-net remote endpoints. |
Security professionals now have expanded access to detailed malware Indicators of Compromise (IOCs) stored in the Lastline Global Threat Intelligence Network. Security Operations Center (SOC) Analysts can search the network to learn the behaviors of malicious code seen in the wild and leverage network. This also includes endpoint IOCs to apply the experience of other companies towards proactively defending their organization against targeted attacks (Byrne and Thorpe 2017).
Lastline customers also now can receive alerts when IOCs matching user-defined criteria are detected by any Lastline customer or partner or were previously captured in the Global Threat Intelligence Network (Kent and Liebrock 2013). For instance, security teams can be alerted when malware is identified targeting their company. Security teams can proactively use this advanced reconnaissance to defend against the attack vectors before any malware infiltration.
Indicators are everywhere. The “check engine” light tells when one of the car’s systems has failed. Cell phone alerts when the battery is low. Home security system sounds an alarm if it detects an intruder, and home computer displays a warning message when a device or piece of software malfunctions. From a design perspective, it seems simple. People understand what to look for and design a monitoring control around it.
Sharma, Kumar and Sharma (2016) state that the different patterns of significant traffic leaving your network perimeter should always be investigated. Modern attack methods make keeping attackers out of a network difficult, but outbound patterns are much more easily detected. Kent, Liebrock and Neil (2013) show that Attackers often try to escalate privileges of a user account they’ve hacked. Monitoring privileged accounts for unusual activity not only opens a window on possible insider attacks but can also reveal statements that have been taken over by unauthorized sources
2. An answer to the given questions
Irregularities in login patterns can provide reasonable evidence of compromise. Connections to places where your organization does not usually do business might mean your sensitive data is being stolen as discussed by Medeiros and Felix (2014). Excessive failed logins or attempts on accounts that don’t exist are signs that an attacker is trying to guess credentials. Look specifically for login attempts with usernames of employees who wouldn’t regularly be working after hours. As an attacker penetrates your database storage, the exfiltration of that data, especially credit card tables, will generate a read volume well above average for those tables.
An attacker using a SQL injection attack against your database will cause a larger than average volume of HTML responses. Wagner et al. (2016) provide the example of a 20 MB response to a query that is usually around 200 KB can indicate that the attacker has successfully executed a SQL injection attack and dumped the entire credit card or user account table. When an attacker finds a worthwhile target on your network, for example, a vulnerable web application written in PHP, they will try multiple attack strings focused on a specific file.
Communications on non-standard ports could be an indication of foul play such as command and control traffic masquerading as “normal” application behavior argues Adebayo and Omotosho (2013). Schulz et al. (2016) researched that malware often persists across system reboots by modifying the registry to launch a startup processor to store operational data. Always create a clean baseline registry snapshot and monitor for changes to this “template” that could indicate a registry-based IOC.
|
Advantages |
Disadvantages |
|
§ Forces you to write more modular code § Decouples the application § Centralized configuration § Control over lifetime of dependencies § Takes care of long nested dependency chains |
§ Another framework in the toolbox (another mindset to adapt) § Hard to figure out the flow in an application. § No build errors and requires some way of testing dependencies together (yes not unit tests) § Requires configuration of dependencies. |
Here the example of SIEM system with the case study of LogPoint is considered. To ensure and maintain a (secure) IT infrastructure it is vital to see what is happening on the network. That means, administrators as well as other stakeholders, like the CISO, need to know as something unusual is happening in the corporate network (Aviad, Wecel and Abramowicz 2015). “Unusual” in this sense refers to any possible threat/breach that may have happened or is happening within the corporate infrastructure.
A SIEM system collects data from numerous types of log sources and enables the analyst to evaluate the data by correlating it. As something noteworthy has been detected a notification is sent out so that countermeasures can come into effect (Pihelgas 2015). Also, it is the means to generate reports so that everyone involved can get precisely the information they need.
With LogPoint it is possible to detect threats/breaches and even assist in preventing them from happening (again). To more efficiently secure the corporate infrastructure, it is necessary to go beyond those capabilities and add more value to a SIEM. This is done by describing “the technical characteristics that identify a known threat, an attacker’s methodology, or other evidence of a compromise and share it at machine speed” (Thoresen 2017). This is commonly referred to as Indicators of Compromise (IOC) and is used to detect malicious behavior faster and more efficiently as it narrows the gap between threat detection and incident response.
2.3. Applicability of IoC in organizations
Today, LogPoint supports several different formats for recording, defining, and sharing threat information, such as “Trusted Automated eXchange of Indicator Information (TAXII™)”, CSV, and TXT. More formats such as OpenIOC, or Structured Threat Information Expression (STIX™) are likely to be supported very soon.
|
Methods |
Discussion |
|
Active and passive IDS |
An active Intrusion Detection Systems (IDS) is also known as Intrusion Detection and Prevention System (IDPS). Intrusion Detection and Prevention System (IDPS) is configured to automatically block suspected attacks without any intervention required by an operator (Sanders and Smith 2013). |
|
Network Intrusion detection systems (NIDS) and Host Intrusion detection systems (HIDS) |
Network Intrusion Detection Systems (NIDS) usually consists of a network appliance (or sensor) with a Network Interface Card (NIC) operating in promiscuous mode and a separate management interface. The IDS is placed along a network segment or boundary and monitors all traffic on that portion. |
|
Knowledge-based (Signature-based) IDS and behavior-based (Anomaly-based) IDS |
A knowledge-based (Signature-based) Intrusion Detection Systems (IDS) references a database of previous attack signatures and known system vulnerabilities. A Behavior-based (Anomaly-based) Intrusion Detection Systems (IDS) references a baseline or learned pattern of normal system activity to identify active intrusion attempts. Deviations from this baseline or pattern cause an alarm to be triggered. |
With staffing stretched thin and not enough qualified resources available, automation of incident response processes is necessary to reduce response times and increase the efficiency and quality of response.
|
The processes |
Discussion |
|
Investigate and Triage Incidents |
Incident responders can quickly view a triage package to see which endpoint artifacts, such as processes or network connections, are related to a given event. |
|
Reconstruct Attackers’ Footprints |
Protect your systems by recording key events and automatically delivering a timeline related to a suspected incident along with the prioritized alerts. |
|
Stop Attackers and Prevent Data Theft |
Halt lateral movement by isolating compromised devices to deny attackers access to systems, halt processes, wipe files, and kick off a script to initiate anti-virus scans or run custom scripted routines on the endpoint (Johansson and Elvin 2017). |
|
Identify Compromised Endpoints |
Automatically sweep all endpoints for signs of the compromise once an Indicator of Compromise (IOC) has been validated. |
|
Automate Incident Response Workflows |
Automatically kick off remediation or in-depth analysis actions by defining trigger rules and activities with the alert response workflow engine. |
|
Respond Immediately |
Integrate with SIEMs, next-generation firewalls and alerting tools to automatically link disparate information and accelerate your response. |
8. Conclusion:
“Indicators of compromise” help to use threat data effectively and identify malware and quickly respond to incidents. These indicators are very often included in threat reports, which are often skimmed by readers. The report shows that even when a document providing details of a research project does not have a dedicated Indicators of Compromise section, a reader can always extract useful data (information on the attributes found in infected systems) from the text. He can present the data extracted in any of the formats described above and import it into a security solution. Organizations need to be wary of the increasing number of IOCs. Further, he can implement a system to measure and evaluate the quality of indicators accordingly. It is also seen from the study that having contextual information to accompany indicators is critical for a machine or a human to make better decisions around resource allocation and determine a proper course of action. .Thus creating a dynamic database comprised of all the elements, or data fundamentals, that make up the cyber threat landscape is a great way. Moreover, it also includes the elements visually displayed in an interconnected contextual manner is an effective manner to enable people and machines to make better security and business decisions
9. References:
Adebayo, A.O. and Omotosho, Y.A.A.O.J., 2013. System and Data Capture Framework Insights into Breach Data toward Improved Feedback. System, 4(3).
Aviad, A., Wecel, K. and Abramowicz, W., 2015, July. The semantic approach to cyber security towards ontology based body of knowledge. In European Conference on Cyber Warfare and Security (p. 328). Academic Conferences International Limited.
Byrne, D. and Thorpe, C., 2017, June. Jigsaw: An Investigation and Countermeasure for Ransomware Attacks. In European Conference on Cyber Warfare and Security (pp. 656-665). Academic Conferences International Limited.
Johansson, E. and Elvin, G., 2017. The impact of organizational culture on information security during development and management of IT systems: A comparative study between Japanese and Swedish banking industry.
Kent, A.D. and Liebrock, L.M., 2013, August. Statistical detection of malicious web sites through time proximity to existing detection events. In Resilient Control Systems (ISRCS), 2013 6th International Symposium on (pp. 192-197). IEEE.
Kent, A.D., Liebrock, L.M. and Neil, J., 2013, October. Web Adoption: An Attempt Toward Classifying Risky Internet Web Browsing Behavior. In LASER (pp. 25-36).
Medeiros, F. and Felix, J.C., 2014. Intraoperative frozen section consultation in gynecologic pathology. Histopathology: Methods and Protocols, pp.209-220.
Pihelgas, M., 2015. Mitigating Risks arising from False-Flag and No-Flag Cyber Attacks. NATO CCD COE, Tallinn.
Rowell, M.D., 2017. Cyber indicators of compromise: a domain ontology for security information and event management (Doctoral dissertation, Monterey, California: Naval Postgraduate School).
Sanders, C. and Smith, J., 2013. Applied network security monitoring: collection, detection, and analysis. Elsevier.
Schulz, A., Ljungberg, M., Cam, H. and Oniha, A., 2016. Dynamic Analytics-Driven Assessment of Vulnerabilities and Exploitation. MIT Lincoln Laboratory Lexington United States.
Sharma, P., Kumar, S. and Sharma, N., 2016, October. BotMAD: Botnet malicious activity detector based on DNS traffic analysis. In Next Generation Computing Technologies (NGCT), 2016 2nd International Conference on (pp. 824-830). IEEE.
Simal, A.R., 2015. Automation of memory-based IOC analysis.
Thoresen, H.M., 2017. Automated triage of samples for malware analysis (Master’s thesis, NTNU).
Wagner, C., Dulaunoy, A., Wagener, G. and Iklody, A., 2016, October. MISP: The Design and Implementation of a Collaborative Threat Intelligence Sharing Platform. In Proceedings of the 2016 ACM on Workshop on Information Sharing and Collaborative Security (pp. 49-56). ACM.
Zapata, M.A., 2016. Indicators of compromise in the analysis of system processes (Doctoral dissertation, Utica College).
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
