Threat Research and Indicators of Compromise

  • Signature based detection

    • Byte patterns

    • Files, processes, packets

    • Tougher with encrypted data

  • How can malware avoid detection?

    • Has no signature yet

    • Too complex to create a signature

  • Indicators of Compromise

    • Stop looking for signatures, start looking for abnormal behavior.

      • URLs

      • New Files

      • Executions

      • Processes

      • Remote Access Tools

      • File hashes

      • Registry entries

      • Resource usage

      • New apps

      • Protocols

      • New devices

      • Exfiltration

      • New users

  • IoCs: Shift in Perspective

    • Automated HIPS/HIDS

    • Correlation SIEM

    • Deciding if its good or bad

  • Determining IoCs: Reputational Method

    • Historical reputation

      • IP address

      • URL

      • File hash

      • Email body (against spam)

      • Reputation databases provided by major vendors

  • Determining IoCs: Behavioral Method

    • What does it do?

      • Connections

      • Files

      • Settings

  • Attack Tactics, Techniques and Procedures (TTPs)

    • DDoS: connection distribution

    • Malware: resource usage

    • Reconnaissance: Connection pattern

    • APTs:

      • Port hopping: quickly and randomly changing ports

      • Fast flux DNS: quick changes in DNS resolved addresses

      • Data exfiltration: sensitive data or files leaving the network

      • Protocol anomalies: legitimate apps play by the RFC rules (mostly)

  • Threat Modeling: Attacks, signatures, reputation, IoCs and more…

Last updated