Threat Hunting for URLs as an IoC

Introduction

Unfortunately, cyber-attacks are just a fact of life in today’s world. Anyone with a laptop or smartphone can quickly write malicious code to victimize an organization and sometimes they can even penetrate an organization’s network defenses with the same ease. Despite their best efforts, attackers often leave clues behind that threat hunters can use to identify and stop attackers in their tracks. This article will detail Threat Hunting for URLs as an Indicator of Compromise including where to look and what to look for.

Indicators of Compromise

When investigating, Information Security professionals need to look to what is called Indicators of Compromise, or IoC artifacts, to aid them in their investigation. IoC artifacts are pieces of forensic data or evidence that can be used as a proverbial trail of breadcrumbs to lead threat hunters to the identity and network location of the attacks. Monitoring for IoC artifacts helps organizations respond promptly so they will have a better chance to act on the threat to mitigate damage before it gets any worse.

URLs as an IoC

URLs have been typically considered to be part of the family of IoC artifacts because malicious URLs are widely used to spearhead various cyber-attacks including spamming, phishing, and malware. Detection of these malicious URLs and identification of associated threat types are critical to hunting treats.

Threat Hunting for URLs

A good hunt begins with a good hypothesis. The hypothesis should combine general knowledge of your environment, what threats are present in your environment, where the threats may be located, and how threats might take advantage of users and organizational processes to get around your security appliances. Some hunters opt for the Crown Jewels model where priority is placed on the systems that contain the most vital of data and assets, mitigating risk with passive (Read more...)