IOCs In Cyber Security

Managing cybersecurity is an infinite process which involves writing secure codes, hardening servers, detecting and responding known and unknown security incidents, auditing and a lot more. All of this is handled by different cybersecurity teams such as system administrators, security operation centers and computer emergency response teams, as well as computer security incident response teams.

Part of this defensive job is to analyze and explore servers, networks and apps to see if there are any IoCs there. IoCs are a top priority for any organization’s security team, as they offer direct connection to mitigation strategies, let security researchers and digital forensic analysts understand the risks they’re facing, and guide them toward proper action to prevent future incidents.

So, what is IOC?

IOCs stands for “ Indicator of Compromise ”.

IOCs are artifacts that were gathered from an active intrusion or previous intrusion that are used to identify a particular adversary. An indicator of compromise are forensic artifacts of an intrusion that can be identified on a host or network.

Perfect IoC examples could be an unusual open port, a file that doesn’t belong to a system directory, a perl or php file that has unknown application code inside, a virus, malware, a backdoor, or, simply, system logs containing abnormal traffic patterns.. There are so many IoCs that it’s nearly impossible to name them all.

The truth is that IoCs are those little pieces of data that help IT managers and system and network administrators fight different types of cybercrime. Sometimes they’re easy to detect, because crackers can leave a lot of evidence when they try to hack you; on other occasions, they can be very clever with covering their tracks. The later case results in requiring longer investigations to find the root of the intent or the possible security breach you’re investigating.

IOCs are mainly categorised into 3 types:

Atomic IOCs: The elements or fragments of data that can not be broken down further or the data that can individually by themselves indicate adversary activity. Examples are Hostname, IP address, Email address, Filenames, Process names, Text string,etc. Can be a credit card number or some sort of information that can be the part of a breach.

Computed IOCs: These are fragments of data computed in a specific fashion to attack the system or perform the breach. Examples are MD5 hash, statistics, Regex,etc.

Behavioural IOCs: These comprises of multiple atomic IOCs and computed IOCs which provides us a signature of an attack.

So, let’s understand by a problem case:

We are doomed! Our web server was just hijacked.The attacker targeted, exploited a vulnerability, installed malware, installed multiple files and made connection to a remote host. More files were downloaded and additional scans are run on the internal network…….

So, let us break this down in categories.

1. Behavioral IOC1: Attacker with IP targets vulnerable web server with exploit and creates admin account “anonymous”. So let us break down more.

# Atomic IOC1: Attacker remote IP ……..

# Atomic IOC2: Username ‘anonymous’

2. Behavioral IOC2: Attacker installs malware with MD5 hash of wetfgv25642797bdhuhjm malware installs file to C:/Windows/Windows32/goodgirl.dll

# Computed IOC1: MD5 hash ‘wetfgv25642797bdhuhjm’

# Atomic IOC3: File name ‘goodgirl.dll’

3. Behavioral IOC3: Malware connects to a remote server of IP address 222.60.95.243 on port 666.

# Atomic IOC4: IP ‘222.60.95.243’

# Atomic IOC5: Port ‘666’

……..so on.

Another way IOCs can be break down is:

Host-based Indicators: That can be found on host. Examples are Registry key, File name, Text string, Process name, Mutex, File hash, User account, Directory Path,etc.

Network-based Indicators: That can be found on network. Examples are IP address, Domain name, Text string, X509 certificate hash, Communication protocol, File name, URL,etc.

Real Scenario:

APT 1 uses two custom utilities to steal emails from their victims:

GETMAIL: malware used to extract email messages and attachments from Outlook PST files.

MAPIGET: malware used to extract email messages and attachments from an Exchange server.

Where’s IOCs?

IOCs can be at different places including host or network. Heard about Internet of Things which can have IOCs, can be in databases, on hardrives of the system, can be in memory, log files, even social media accounts, also cloud raises a lot of issues, even mobile devices, laptops with employees configuration, within photos and images, smart phones with GPS coordinates, serial numbers can be embedded in images,etc.

So, we are talking about gathering some artifacts which increase in difficulty to gather it, which leads us to a concept of Pyramid of Pain (by David Bianco).

1. Hash values: Can get hash values easily from Malware and files.

2. IP addresses: Easily get extracted.

3. Domain names: Same as IP, extracted easily.

4. Network/Host artifacts: Can get complex as we are trying to get little more of information of host or network to get files location and etc.

5. Tools: Even more difficult to identify what specifically , what tools the attacker are using. We may know the exploits attacker are using but cannot predict tools like metasploit or some other.

6. TTPs: Tactics,Techniques and procedures that’s where we try to identify attacker ,try to know motivations, specifically which tools and techniques and procedures are used and make assumptions and start making connections between artifacts. And that is damn difficult.To know more about it, there’s a link of my previous blog on TTPs (medium.com/@shruti_patel/ttps-in-cyber-security-5b1c90c740b8)

Thank you….