#status/done

Indicators of Compromise

Just like you or me, adversaries have various computer resources at their disposal. They have favourite computers, applications, techniques, websites, etc. It is these fundamentally human tendencies and technical limitations that we exploit by collecting information on our adversaries. No person acts truly random, and no person has truly infinite resources at their disposal. Thus, it behoves us in CND to record, track, and group information on our sophisticated adversaries to develop profiles. With these profiles, we can draw inferences, and with those inferences, we can be more adaptive and effectively defend our data. After all, that's what Intelligence-Driven Incident Response is all about: defending data that sophisticated adversaries want. It's not about the computers. It's not about the networks. It's about the data. We have it, and they want it.

Indicators can be classified a number of ways: atomic, computed, and behavioural aka. TTP's.

Note

One likes to think of indicators as conceptually straightforward, but the truth is that proper classification and storage has been elusive.

Atomic indicators are pieces of data that are indicators of adversary activity on their own. Examples include IP addresses, email addresses, a static string in a Covert Command-and-control (C2) channel, or fully-qualified domain names (FQDN's). Atomic indicators can be problematic, as they may or may not exclusively represent activity by an adversary. For instance, an IP address from whence an attack is launched could very likely be an otherwise-legitimate site. Atomic indicators often need vetting through analysis of available historical data to determine whether they exclusively represent hostile intent.

Computed indicators are those which are, well, computed. The most common amongst these indicators are hashes of malicious files, but can also include specific data in decoded custom C2 protocols, etc. Your more complicated IDS signatures may fall into this category.

Behavioural indicators are those which combine other indicators — including other behaviours — to form a profile. Here is an example: Bad guy 1 likes to use IP addresses in West Hackistan to relay email through East Hackistan and target our sales folks with trojaned word documents that discuss our upcoming benefits enrolment, which drops backdoors that communicate to A.B.C.D C2. Here we see a combination of computed indicators (Geolocation of IP addresses, MS Word attachments determined by magic number, base64 encoded in email attachments), behaviours (targets sales force), and atomic indicators (A.B.C.D C2). To borrow some parlance, these are also referred to as Tactics, Techniques & Procedures.[1] [2] [3]

Relevant Note(s):

  1. https://www.sans.org/blog/security-intelligence-attacking-the-cyber-kill-chain/ ↩︎

  2. https://taosecurity.blogspot.com/2018/11/the-origin-of-term-indicators-of.html ↩︎

  3. https://www.ietf.org/rfc/rfc9424.html ↩︎