Lesson 5.3 Developing and deploying indicators of compromise.
In this lesson, we will talk about how to identify sources of IOC's
and understand how IOC's are used in the IR lifecycle.
There's a number of sources of IOC tools. These tools are open source. They are easy to use in most cases and allow you to scan a host or a network for indicators of compromise. Some of these require some command line work. Some of them have a gooey associated with them,
and I'll just walk through The blue is actually actually hyperlinked to the tool for your ease
finding it, and I'll go through them briefly. One is fire eyes Red line tool. It's a Windows based execute herbal that you can run on a system, and it will help you scan for potential indicators of compromise and give you some results. Based on its findings,
Kroll has a tool called Cape that was written by Eric Zimmerman that allows you to scan for a number of things, including looking at commonly accessed files and registry hives that malware could be using.
Yara is another tool that you can use, and there's Yara rules that can help you find indicators of compromise.
Google has an open source tool called Google Rapid Response, or Grr that you can download and use.
Callie Lennox is an open source. Tools got a lot of penetration testing tools associated with it, but it also has a lot of forensic tools that can be used for IOC's. Sands has a open source product on the Lennox operating system, called Sift, that also has some great tools associated with that.
And then Reg Ripper is a program
written by Harlan Carvey. It is also incorporated in Cape. But if you just wanted to use it as a standalone tool to quickly look at registry hives for potential entries that could be consistent with malware, it's a great tool for that.
What are some potential IOC's that you might use in IR? Well, here's a few examples. One could be I p addresses. Also, domain names, process names, the file paths of execute a bles. So, for instance, a
maybe an inexperienced analyst may look at a number of processes running on a system and C S v c hosts dot e x e
and think that's normal. I'm used to seeing that on a system. But where is that process actually coming from? Is it Windows System 32 or some other location you would expect it to? Or is it
the C Drive user's directory, desktop or downloads, or something like that? Temporary Internet files.
So you want to look for the path and the service registry changes for persistence, hash values of files that could be known to be bad,
the services themselves
and file names associated with malware or documents. Things of that nature file names is not really accurate. Obviously, it's easy to change, but it is quick to look for so it isn't a bad thing toe have on their, especially for early detection
of something that may have just landed on the network. And either the malware or people might not have had a chance to change file names yet.
So we've talked about tools to use to look for IOC's. But how do you find the actual IOC's themselves? Here's a couple sources you might look for threat. Intel may very well give you feeds of IOC's that are found in other indicator or other compromises and intrusions from organizations that share them.
I've mentioned before when we talked about threat hunting teams and threat intelligence. How you can get open source threat Intel,
a SIM tool may also feed this information to you. A compromise toast itself. Of course, you're going to want to do forensics, and part of that examination should be with the intent of finding indicators of compromise. So, for instance, if you have compromised host,
you'll look through. How did the host get compromised? What was downloaded to the system, what calls were made, where their registry changes made where the file path of things was there, an initial dropper, and then it downloaded additional files where their services created. You'll want to find all that information out and then
use these tools to create those indicators of compromise that you can quickly scan your environment to see.
Well, are there any other hosts on my network that have these same characteristics? And if so, we should consider them compromised also. So look at network forensics, also commanding control traffic, that sort of thing packet captures.
And of course, a threat hunting team may have actually been the one to identify this and provide you with IOC's toe. Look for
to deploy them. Usually we see IR teams maintaining lists of IOC's that air scanned by Simms or some other device or appliance on a regular basis.
IOC's can either be done proactively or they can be done ad hoc. It's not uncommon for an organization to hire
a team or consultant to come in
during an incident, and during that time they may bring their own appliance with them and actually do an ad hoc scan of your network based on the IOC's that they bring with them to find commonly seen malware or traffic. That would lead them to believe that there is a compromise.
And the enterprise tools can look for file services, hash values, etcetera. That might not be considered
cyber security tools. So think outside of the box. Maybe I t has tools that they use for net flow for network communications, for logging from servers or their virtual ization equipment and applications that could also be used to help you out. So consider those things as well.
All right, quiz question. For this lesson, a threat hunting team discovers a previously unknown compromised and develops a list of items related to the attack such as I P addresses and process names.
What would you call this list?
A P I I
be classified information or see IOC's.
If you picked IOC's, you are correct. That's exactly what those are. Indicators of the compromise could be classified information, too, if that's the world you live in. But for the purposes of this course, we're going to say they're IOC's.
So, in summary on this lesson, we talked about the sources of IOC's and also how IOC's air used in the ire lifecycle.