According to Gartner, threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable intelligence.
When security research teams or government agencies release threat intelligence reports, some of the more tactical actionable intelligence is in the indicators. These indicators include (but are not limited to) IP addresses, domain names, file names or file hashes. The end goal of providing this level of detail is so defenders can either provide mitigating steps in place to block malicious behavior or to use this information to search for evil within their organization.
I like to think of indicators as threat information rather than threat intelligence. Without additional context, such as time or intended targets, the indicators can be worthless. Time is an important one because indicators can be modified very quickly by an adversary.
The pyramid of pain illustrates this quite well.
At the bottom of the pyramid you have file hashes, which are defined as trivial. This is because adversaries can change the hash of their malware programmatically with each iteration if needed. On the defender’s side, it’s also trivial to detect malicious hashes.
Tripwire Enterprise has been detecting file hashes for the better part of two decades, and we’ve gotten quite good at it. When monitoring for change, knowing the file hash will quickly identify a changed file (although a files permissions and attributes can be changed without modifying the file hash).
Starting in Tripwire Enterprise 8.4, a REST-based API was included with each server-side installation to allow for easier integrations with various technologies. One part of this API can query for various files, or elements, based on any number of attributes. While you can search for specific hash, the API Also allows you to supply any file hash and detect the type of hash supplied.
For example, (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Travis Smith. Read the original post at: https://www.tripwire.com/state-of-security/security-data-protection/hash-hunting-file-hashes-important/