Threat Hunting for File Hashes as an IOC

Threat Hunting is “the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions.” This is a proactive measure which is on top of the traditional reactive ones like IDS, Firewall, and SIEM.

IOCs – What, Why & How

Indicators of Compromise consists of “artifact observed on a network or in an operating system that with high confidence indicates a computer intrusion.” These mainly consist of Hash Values, Malicious IP’s, Malicious Domain names, Host and Network artifacts, Exploit tools and TTPs (Tactics, Techniques, and Procedures). Identification of the IOC’s is used for early detection of future attack attempts using intrusion detection systems and antivirus software.

When dealing with IOC, we need to have a clear understanding and procedure in place for deriving efficient and effective results. Some of the questions that help nudge in the right direction are as follows:

1. What is it that you are looking for?
2. Where will you find it?
3. How do you intend to use it?

The Pyramid of Pain

The widely discussed concept of categorizing IOC’s, known as ‘THE PYRAMID OF PAIN‘ categorizes Hash Values at the base of the pyramid termed as Trivial. Fundamentally, this encompasses values such as MD5, SHA1 and similar artifacts that represent specific suspicious or malicious files. They come in handy, for establishing a unique identification for specific malware/ malicious samples which have been observed in a security incident. Today due to the dynamic nature of adversaries and threat campaigns, it is often redundant keeping track of them without additional context and contextualization.

The Platforms

Threat Hunting and Threat Intelligence both talk extensively about Indicators of Compromise such as Hash values for their processes. Threat Intelligence is the provider of these Indicators with additional context, making it (Read more...)