Understanding Indicators of Compromise (IOC) Part I



Every day security analysts are faced with piecing together disparate parts of complex events of interest related to emerging and sophisticated threats.  These pieces can be simple metadata elements or much more complex malicious code and content samples that require advanced reverse engineering and analysis.  When pulled together, the cumulative result equates to what we refer to as Indicators of Compromise (IOC).  For many, IOCs are foreign in nature and concept.  For security analysts, they should be familiar if not well known as a concept.  In this blog series we’ll explore IOCs and their importance to the successful assessment of threat conditions facing security analysts and enterprises every day.

One Size Doesn’t Fit All

To begin with, let’s define the term Indicator of Compromise.  Simply put, an IOC is a forensic artifact or remnant of an intrusion that can be identified on a host or network.  Pretty straight forward right? Let’s keep reading.  IOCs tie to observables and observables tie to measurable events or stateful properties which can represent anything from the creation of a registry key on a host (measurable event) to the presence of a mutex (stateful property).  Though not present in all incident response or event of interest scenarios, IOCs are present more often than not should the security analyst devote enough time, energy and resources in learning where and how to identify them.  The ability for a security analyst, incident responder or threat researcher to collect, record and notate IOCs in a detailed manner cannot be stressed enough.  To be able demonstrate the Who, What, Where, When, How and (assuming one has enough data the ‘Why’) is invaluable!  Today there are several emerging, would be standards for what has previously been an individualistic at worst and organizational at best approach to demonstrating IOCs.


My Way, Your Way Any IOC Standard Tonight


Though there are many would be standards related to IOCs making waves in the industry today we’ll spend some time looking at what promise to be the three leading contenders.  The first, CyBox which according to its website provides “…a standardized schema for the specification, capture, characterization and communication of events or stateful properties that are observable in the operational domain. A wide variety of high-level cyber security use cases rely on such information including: event management/logging, malware characterization, intrusion detection, incident response/management, attack pattern characterization, etc. CybOX provides a common mechanism (structure and content) for addressing cyber observables across and among this full range of use cases improving consistency, efficiency, interoperability and overall situational awareness.”  The fine folks at Mitre are responsible for CyBox and it happens to be a personal favorite of mine.  Is it perfect? That depends on your needs and wants.  I like a lot about the way in which CyBox approaches observables and properties additionally and perhaps more important than those two fundamental aspects of their approach is their integrated approach to disparate domains of interest such as:

  • Threat assessment and characterization (detailed attack patterns)
  • Malware characterization
  • Operational event management Logging
  • Cyber situational awareness
  • Incident response
  • Forensics
  • ETC.

In the second installment we’ll discuss the OpenIOC initiative, the IODEF (RFC5070) initiative sponsored by the IETF and the best way to select a framework that suits your needs.

No Comments