Instead of Discounting Indicators of Compromise, it’s Time to Use Them More Effectively
The security industry has shifted from focusing on just signatures to include Indicators of Compromise (IoCs) as well. This is because in many ways IoCs are more portable, simplistic and compatible across many different detection platforms. However, during this shift IoCs have gotten a bum rap. It’s easy to see how this has happened – indicators can sometimes be just pieces of data without context. Security professionals are struggling to make sense of data, and wondering where to find real value as they strive to secure their environment.
What most security professionals really want are insights into the adversaries themselves – the tools as well as the tactics, techniques and procedures (TTPs) they’re using – to strengthen defenses and make life much more difficult for the bad guys. But this level of information often isn’t handed to you on a silver platter. As the saying goes, “the devil is in the details.” In this case, the details are the IoCs. Let me explain…
Many companies now find themselves with a fragmented security infrastructure, including 40+ security products each operating within its own silo. Because these products aren’t integrated, each layer in the architecture creates its own logs and events, generating a massive amount of data. System logs are rife with bad IP addresses and domain names that might reveal communication back to a command and control server, exfiltration of data or illegitimate services; hash values that can correspond to specific or malicious files; and network and endpoint artifacts pointing to an adversary. All of these indicators can reveal malicious behavior, but security analysts struggle to know what to look for and what to investigate first.
This is where the continued importance of IoCs is demonstrated. IoCs are the lowest common denominator of all these disparate logs and the way to actually tie things together and make sense of all the output from all your different security tools. They also allow you to build a bigger picture; you can pivot from an indicator to an adversary or campaign that provides more insight into what is truly happening in your environment.
For example, you see an IP address that you don’t recognize. You need more information about it, so you gather all of the related data you can across external threat intelligence sources. Through this analysis, you may discover that the IP address is tied to a particular campaign or adversary. So you decide to gather more intelligence about the campaign or adversary to understand the TTPs they may be employing and other related indicators. In this example let’s assume, for simplicity, that this particular adversary has 21 different indicators tied to it. You have already seen one, so it makes sense to look for the other 20 within your environment. Lo and behold, you find another 10 indicators. Chances are you have been compromised by this adversary. And now you have 10 other indicators that you can send proactively to harden your security infrastructure and protect against that adversary.
As you can see from this example, IoCs are vital for successful investigation and protection. But you need a repository to tie together the data that is generated from all your disparate internal systems with data from all of your external threat feeds and enrich it with context. Otherwise indicators remain noise – and that’s why they have a bum rap.
A threat intelligence platform (TIP) allows you to aggregate and normalize threat and event data and then correlate it and apply context. Now that you have IoCs that provide valuable insights, you can use them to pivot to TTPs and the adversaries themselves. With a broader view of related indicators that could signal adversary activity, you can gather more conclusive evidence that your organization has been compromised. And with a deeper understanding of the methods the adversary employs, you can stop malicious activity more quickly and prevent similar attacks in the future.
There are very valid reasons for the shift from signatures alone to include IoCs. Unfortunately, in the process security teams have become inundated with data from their various security logs and multiple threat feeds, some from commercial sources, some open source, some industry and some from their existing security vendors. All of this data provide tremendous value, but it’s often untapped. Instead of discounting IoCs, it’s time to use them more effectively – and to the detriment of your adversaries.