Threat Research and Indicators of Compromise

Signature based detection

• Byte patterns

• Files, processes, packets

• Tougher with encrypted data

How can malware avoid detection?

• Has no signature yet

• Too complex to create a signature

Indicators of Compromise

• Stop looking for signatures, start looking for abnormal behavior.

  • URLs

  • New Files

  • Executions

  • Processes

  • Remote Access Tools

  • File hashes

  • Registry entries

  • Resource usage

  • New apps

  • Protocols

  • New devices

  • Exfiltration

  • New users

IoCs: Shift in Perspective

• Automated HIPS/HIDS

• Correlation SIEM

• Deciding if its good or bad

Determining IoCs: Reputational Method

• Historical reputation

  • IP address

  • URL

  • File hash

  • Email body (against spam)

  • Reputation databases provided by major vendors

Determining IoCs: Behavioral Method

• What does it do?

  • Connections

  • Files

  • Settings

Attack Tactics, Techniques and Procedures (TTPs)

• DDoS: connection distribution

• Malware: resource usage

• Reconnaissance: Connection pattern

• APTs:

  • Port hopping: quickly and randomly changing ports

  • Fast flux DNS: quick changes in DNS resolved addresses

  • Data exfiltration: sensitive data or files leaving the network

  • Protocol anomalies: legitimate apps play by the RFC rules (mostly)

Threat Modeling: Attacks, signatures, reputation, IoCs and more…

• STIX: Structured Threat Information eXpression

  • SDOs: Stix Domain Objects

• TAXII – Protocol. Trusted Automated Exchange of Intelligence Information

  • Collections

  • Channels

  • Transmits STIX data overt https.

  • https://www.mandiant.com/resources/blog/openioc-basics

    • Utility to open IoCs from iocbucket

  • https://iocbucket.com/

• MISP – Malware Information Sharing Project

  • Works with STIX, TAXII