Threat Hunting: IOCs and Artifacts

Introduction

Unusual behavior of information technology assets within an organization may be a hint that the organization is undergoing a cyberattack. Threat-hunting teams will often assess the environment for commonly-known and documented threats by implementing Indicators of Compromise (IOCs).

This article discusses IOCs and their artifacts, examines sources where IOCs are most likely to be found, and compares IOCs with Indicators of Attack (IOAs). Finally, we will see how hunters can use IOCs to improve the detection of, and response to, malicious activities within the organization.

Indicators of Compromise and Artifacts

Indicators of compromise (IOCs) can be defined as “pieces of forensic data, such as data found in system log entries or files, that identify potentially malicious activity on a system or network.” Threat hunters will often consult IOCs to determine the locations of possible data breaches or malware infections within the organization.

“Artifacts” refer to the common pieces of information which are of interest to the hunter. They include items such as logs, configured services, cron jobs, patch states, user accounts and others. Locations of artifacts vary widely, which significantly increases the regions where IOCs may be searched for or obtained.

There are different sets of artifacts, which can be grouped as follows:

Network-Based Artifacts

Due to the fact that most malware communicates with external entities through the network, hunters will often scour that network for artifacts that could contain malicious content. Hunters will pay attention to the listening ports utilizing TCP/UDP ports such as SMTP, HTTP, FTP and proxy servers. External monitoring servers may also be set up to aid in traffic monitoring. Hunters will also have various tools that perform:

• Session recording: TDIMon is an example of a Windows-based utility that can be used to record incoming and outgoing sessions. Argus is also a Unix tool (Read more...)