Osquery In Action: Where and When to Apply “Threat Intel”


So, what does Threat Intelligence mean? Ask a variety of people, and they will give you a variety of responses — IOCs, IOAs, File Hashes, Signatures, Bad IPs, Bad Domains, C2 servers . . . Most of what people consider “Threat Intel” are lists of artifacts shared information security companies, government agencies, or other entities trying to protect customers, citizens, or organizations from various threats on the internet.

Categories of Threat Artifacts

 The artifacts tend to fall into several different categories. I “grew up” with the original use of the term “Indicators of Compromise” coined at Mandiant and worked a lot with the OpenIOC community, so that’s mainly the way I think of Threat Intelligence. In these cases, IOCs were collections of indicators that could be logically grouped and evaluated, and if the grouping (when compared against things in your organization) evaluated to “true,” you had something which was worthy of further investigation. Groupings of terms that have to be evaluated together are what I call “Complex” or “Classic” indicators, because that’s what an IOC was before the term became hugely overloaded in the security marketing space. However, you could have an IOC with only one entry in it — it just wasn’t usually a very good IOC.

 Simple artifacts in isolation (the “one entry”) are what I call “Atomic” Indicators — these are often things that are easy to match, but carry little context — and while some of them can be very specific and never “wrong” (like an (Read more...)

*** This is a Security Bloggers Network syndicated blog from Uptycs Blog authored by Doug Wilson. Read the original post at: https://www.uptycs.com/blog/applying-threat-intel-with-osquery