Cyberthreat on the Internet

Understanding the Threat Landscape: Indicators of Compromise (IOCs)

I previously provided a brief overview of how Verisign iDefense characterizes threat actors and their motivations through adversarial analysis. Not only do security professionals need to be aware of the kinds of actors they are up against, but they should also be aware of the tactical data fundamentals associated with cyber-attacks most commonly referred to as indicators of compromise (IOCs). Understanding the different types of tactical IOCs can allow for quick detection of a breach, as well as prevention of a future breach. For purposes of this overview, Verisign iDefense breaks IOCs into three distinct categories: email, network and host-based.

Email Indicators

Advanced threat actors often use free email services to send socially engineered emails to targeted organizations and individuals due to ease of use and relative anonymity. Email IOCs can be revealed in a few ways:

  • Sender’s email address and email subject: Actors create emails from addresses that appear to belong to recognizable individuals or prominent public figures, or highlight current events and other calls to action to create intriguing email subject lines with the goal of getting victims to open socially engineered emails.
  • Attachments and links: Malicious attachments and links are used in spear-phishing emails and campaigns. These are often reused, so it would be beneficial to track and monitor these specific files and links.
  • X-forwarding IP address: This is an email header field that identifies the originating IP address of a client connecting to a Web server through a HTTP proxy or load balancer. Compromised servers are often used when sending socially engineered emails, and infrastructure can be reused when launching an attack. So, while a X-forwarding IP address will not provide the email’s originating IP address, it does provide the address through which the email was proxied, which allows for additional insight into the attack infrastructure used against the organization.
  • X-originating IP address: This is an email header that identifies the originating IP address of a client connecting to a mail server. Depending on the mail servers being used, this field does not always appear in email headers; however, similar to X-forwarding IP addresses, monitoring these IP addresses when available can provide additional insight into attackers.

Network Indicators

Network IOCs are revealed through:

  • URLs: Used for command and control (C2) and link-based malware delivery. URLs can be strong IOCs as they are usually unique paths created by threat actors for their attacks.
  • Domain names: Used for C2, malware delivery through malicious links in socially engineered email attacks and as data exfiltration sites. Organizations can monitor and block known bad domains to disrupt threat actors.
  • IP addresses: Used for assisting organizations in detecting attacks from known compromised servers, botnets and systems conducting distributed denial of service (DDoS) attacks. However, this IOC has a short shelf life as threat actors move from one compromised server to another, and with the development of cloud-based hosting services, it is no longer just compromised servers that are being used, but legitimate IP space belonging to large corporations.
  • User-agent strings: Used to identify a computer’s operating system, browser type and other computer-specific information to allow Web pages and data to render correctly on the client.

Host-Based Indicators

These IOCs can be found through analysis of the infected computer within an organization’s enterprise. Host-based IOCs are revealed through:

  • Filenames and file hashes: These include names of malicious executables and decoy documents, as well as the file hashes of the malware being investigated and the associated decoy documents.
  • Registry keys: These are keys added by malicious code and specific keys modified within a computer’s registry settings to allow for persistence. This is a common technique that malware authors use when creating Trojans.
  • Dynamic link libraries (DLLs): Actors often replace Windows system files that Windows loads during its startup process. This replacement action ensures that its payload executes each time Windows carries out its startup procedures.
  • Mutual exclusion (mutex): This is a program object that can be used to limit access to a resource, and is often used by malware authors to ensure a host is infected by only one instance of the malware in question.

Organizations need to be wary of the increasing number of IOCs and implement a system to measure and evaluate the quality of indicators accordingly. Having contextual information to accompany indicators is critical for a machine or a human to make better decisions around resource allocation and determine a proper course of action.

Creating a dynamic database comprised of all the elements, or data fundamentals, that make up the cyber threat landscape, and having them visually displayed in an interconnected contextual manner is a great way to enable people and machines to make better security and business decisions.

Stay tuned for upcoming blog posts in which I will expand upon this concept and how the Verisign iDefense IntelGraph platform can help practitioners improve their security posture and allocate resources more effectively.

Learn more about proactive threat intelligence from Verisign iDefense Security Intelligence Services by visiting VerisignInc.com/iDefense.

Share:
Josh Ray

Josh Ray

As Vice President, Verisign iDefense Security Intelligence Services, Josh Ray is responsible for developing operational plans for the organization, overseeing the fulfillment of client commitments and providing the strategic direction for the iDefense product line. He has more than 12 years of combined commercial, government and military experience in the field of Cyber Intelligence, Threat Operations, and Information Security.

Leave a Reply