Build the Capacity to Hunt for Publicly Disclosed Indicators of Compromise

Earlier this year federal authorities unveiled multi-stage and widespread cyber-attacks on the U.S. energy sector and other infrastructure locations. At the time, these attacks had been ongoing for at least a year and incurred several successful compromises. This included some nuclear facilities, water, and aviation locations.

This was not a typical drive-by attack. It was a systematic effort that used sophisticated targeting techniques including spear phishing, watering-hole domains, and ultimately the targeting of industrial control systems (ICS) infrastructure.

IOCs to Ward Off Future Attacks

The government produced a comprehensive document that described the strategy and tactics used by the attackers. This included details from the reconnaissance phase to the way the malware spread laterally to other devices on their network. Importantly, the document highlighted “indicators of compromise” (IOCs) including:

  • Suspicious URLs;
  • Suspicious IP addresses; and
  • MD5 hashes and filenames associated with a malware

This information can help security ward off similar attacks in the future. These IOCs can be used to provide network security tools, including firewalls, IPS, IDS, and web proxies with a list of the IP addresses and URLs in order to interfere with the communication lines for this attack. In addition, the MD5 hashes allow network and endpoint solutions to be aware of the malware associated with this group.

The challenge is, once these IOCs are known, it becomes less likely sophisticated adversaries will continue to use them. This is because it becomes more difficult to use the same strategy once your targets become aware of your tactics. Some copycat adversaries may use this as a blueprint for ways to launch similar attacks, but these adversaries are often less resourceful than the originators of the attack.

So, IOCs are most useful when a security team has the capacity to begin threat hunting in a timely fashion. This requires an organization to have already established the means and processes to act in advance.

Watch this Complimentary on Demand Webinar
Threat Hunting: Finding Hidden & Undetected Network Threats
Tips using practical examples you or your team can start using immediately

Indexing Data to Search for IOCs

Announcements, like the disclosure by federal authorities above, are an opportunity to get prepared. Sure, security needs to monitor and track indications, but more importantly, they need to develop a simple and consolidated method to index data that can be rapidly filtered, sorted and searched for the IOCs following a disclosure.

Many organizations already log this data but it isn’t always collected, archived and maintained in a system that is easily queried. As a result, this data is used in forensics to determine how a serious breach occurred, once it is discovered, but it isn’t often the vehicle that enables this detection or incident management.

To develop the means and process, begin by getting your organization to answer these questions:

  • Do you have the means to look for threats in your environment that evaded detection?
  • Where do you go to look for IOCs in your environment when a new disclosure is made?
  • How do you identify specific forensic artifacts like URLs, domains and IP addresses?
  • Can you obtain a list of all new MD5 hashes downloaded into the network and where?
  • How and when are new IOC discoveries or disclosures investigated?
  • If you discover evidence of an IOC, how do you investigate or resolve the incident?

The organizations that have built the capacity in advance, will be in a better position to hunt for threats when new IOCs are revealed – those that have evaded detection and are hidden on the network.

Note: A version of this post was originally published as part of the CSO Online contributor network: The value of 20/20 hindsight in cybersecurity.

If you enjoyed this post, you might also like:
7 Simple but Effective Threat Hunting Tips from a Veteran Threat Hunter

*** This is a Security Bloggers Network syndicated blog from Bricata authored by ironcore. Read the original post at: