In the realm of cyber, there are two main ways of detecting an evildoer, which is either through a signature or an anomaly. These two ways of detecting are topics we’ll dive deeper into in the future, but for now, all you need to know is that both detection methods use a thing called “Indicators of compromise”.
Attackers are constantly breaking into systems, which can be a burden for any defender, but luckily most attackers have mediocre skills, so once they’ve broken into a system they leave many breadcrumbs behind. These breadcrumbs are called “Indicators of compromise” or “IOCs”.
Let’s break this IOC thing down… Once a system has been “compromised” (e.g. hacked), there’s usually some kind of “indicator” showing that this happened. Common IOCs can be separated into network-based or host-based (e.g. computer).
Network-based > An IOC that’s captured in-between hosts flowing throughout the network
- IPv4 Address
- IPv6 Address
- X509 Certificate Hash
- Domain Name
- Text String
- Communication Protocol
- File Name
Host-based > An IOC sitting on the machine (e.g. host)
- Registry Key
- File Name
- Text String
- Process Name
- File Hash
- User Account
- Directory Path
As a defender, it’s useful to intuitively understand where to look for the most common IOCs within a network or host, and the two lists above are a good place to start.
Bucketing our IOCs
Anytime I tackle a new topic it’s useful to understand the high-level picture first, then I’ll drill down further when needed. This is what we’ll do today with IOCs…
IOCs come in two flavors, static and variable.
A static IOC is tangible, easily defined, and usually is referencing something that’s already happened in the past, so it’s “known”. Each static IOC can be broken a down little further into three buckets.
- Atomic (single element): Atomic IOCs can’t be broken down any further hence the name atomic. Some examples > An IP address, text string, file name, hostname, or email address.
- Computed (processed): Computed IOCs are exactly what their name says, “computed”… Meaning there was some kind of computation that had to take place for this IOC to exist. Some examples > a hashed value, regular expression, or statistics on network traffic flows.
- Behavioral (combo): Last we have behavioral, which is a combination of the previous two IOCs bundled into one, creating a more complex IOC mimicking a behavior. Some examples > are a group of filenames that match up with a group of hashed values or a combination of text strings and a regular expression.
Static IOCs have a pretty big weakness, which is they’re only focused on the past and newer attacks will likely succeed on a network only looking at static IOCs.
Variable IOCs are one way of detecting the unknown. Think about a variable IOC as being similar to a movie script, where you have a general idea of what will happen, but you don’t know who will play each particular role. Also, just like a movie script, there is always the potential for improvisation with a skilled actor.
With variable IOCs we’re creating future scenarios without specifying the exact attack, instead, we’re focusing on the general behaviors common in most attacks.
For example… An employee received an e-mail with a sketchy attachment and decided to open it downloading a file from this malicious domain. Our malicious file now overwrites an existing system file with its own version, then the code in this file executes triggering an encrypted connection, which eventually exfiltrates data from the network.
By deconstructing this scenario into separate variable IOCs we’d have a much better chance of protecting against this malicious behavior.
I’m sure many of you remember this screen…
The WannaCry ransomware attack is probably one of the most well-known attacks to date. If you’re living under a rock and have never heard of it, here’s a quick summary…
A few years back a hacking group called “The Shadow Brokers” released a bunch of NSA hacking tools and two of the tools in there led to a global hack originating from North Korea. This attack was a ransomware attack, which encrypted Windows computers demanding a specific amount of Bitcoin to release the encrypted systems. WannaCry impacted over 200,000 computers in 150 countries causing possibly billions of dollars worth of damage.
A massive attack like this is bound to have many IOCs created to prevent it from spreading further, so cybersecurity vendors all over the world whipped up a handful.
Before I list out the IOCs below, it’s important to mention IOCs by themselves will not protect a company… Embedding these IOCs into signatures for your IDS systems to detect is key, as well as using other methods outside of just IOCs to detect and hunt down attackers.
- SMB connection via port 445 in local networks
- Related URLs
- Tor communication
- ports 9001, 9101, 9003, 443
- Related Tor Sites
- File names
- Registry Keys
- A ridiculously long list of hash values
There’s a lot more, but we’ll leave it there.
Always be tuning
We’re going to end this post with a mantra inspired by this week’s book “Applied Network Security Monitoring”.
Not all salespeople are bad, but there are a few that can ruin the entire reputation of the community. They sometimes look like this…
Those sales folks have a mantra of “Always be closing” (e.g. closing deals).
Well, in the world of signature-based IDS systems, this same mantra applies to “tuning”.
IOCs are always changing, either they’re older with zero relevance or the hacking community changed its tactics and you’re IOC is useless. This is where public reputation lists, automated tuning, and operational awareness come into play.
- Public reputation lists – This list consists of many different atomic and computed IOCs that are labeled as bad and should be either blocked or closely monitored. Security-conscious companies curate these lists, as well as create their own contextual IOCs, so they’re always up to date on the latest attacks. Some popular lists are > Malware Domain List, PhishTank, & Spamhaus. Check out more here.
- Automated tuning – These lists are constantly being updated on a daily, even sometimes hourly basis, so without automation, your IOCs will turn obsolete before you let them loose into the wild. Automatically updating these lists can be made easy through a simple bash script or automated threat intelligence systems. Larger companies tend to default towards automated threat intelligence systems and an open-source one you can play with is “Collective Intelligence Framework” (CIF)
- Operational awareness – Lastly, it’s important to remember tools can only get you so far. The people running security inside the company need to have the awareness and willingness to stay on top of these IOC lists, without that everything else is pretty much a waste.
Remember… The use of IOCs is basic security hygiene and every company should be using them, but they’re nowhere close to a holistic security strategy.