Keypoints :
- IoCs are crucial for identifying traces of cyberattacks.
- They help in quickly detecting incidents and developing effective responses.
- Different terms used for IoCs include “security breaches” and “compromise indicators.”
- Common examples of IoCs include network traffic anomalies and unusual login attempts.
- IoCs can be file-based, network-based, behavioral, email-based, or malware-based.
- Detection of IoCs involves various tools like SIEM, XDR, and threat intelligence platforms.
- Effective sharing of IoCs enhances the response to threats.
MITRE Techniques :
- APT29 (Cozy Bear) – Targeted phishing and PowerShell-based attack tactics are documented in security reports.
- WannaCry – The command ‘vssadmin delete shadows /all /quiet’ is used to eliminate data recovery chances.
- Mirai Botnet – The IP address 185.92.220.195 is a real C2 address used in past attacks.
- TrickBot – The IP address 91.234.35.82 is a real C2 address associated with TrickBot.
- Stuxnet – Utilizes USB devices to gain access to PLCs (Programmable Logic Controllers).
Indicator of Compromise :
- [IP Address] 185.92.220.195
- [IP Address] 91.234.35.82
- [Domain] neon9[top]
- [URL] http[://]httsupply.com/f/docs/Invoice-Oct-47521.doc
- [File Name] C:Windowsperfc.dat
- Check the article for all found IoCs.
Definition and Importance of Indicators of Compromise (IOC)
Indicators of Compromise (IOC) are technical indicators that bear traces of a cyber attack. These indicators help identify abnormal behaviors observed in systems, networks, or devices. IOCs are critical for identifying malicious activities, quickly detecting incidents, and developing effective responses to threats. They particularly enable cybersecurity teams to detect threats at an early stage.
In cybersecurity literature, IOCs can be referred to by two different terms: “security breaches” or “indicators of compromise.” While “security breaches” generally describe negative situations occurring within a system, “indicators of compromise” are concrete evidence that assists in the detection of these breaches. This distinction enhances the understanding of the concepts both in the incident response process and in threat analysis.
IOCs are utilized in a wide range of activities, from detecting the presence of malware to analyzing suspicious network traffic, and they are one of the most critical components of an organization’s security posture.
Most Prominent Indicators of Compromise (IOC) Data
Here are some of the most notable IOC examples that information security teams should consider:
- Network Traffic Anomalies
- Unusual DNS Requests
- Unusual Login Attempts
- Abnormal Activities of Privileged Users
- Changes in System Configurations
- Unexpected Software Installations or Updates
- Numerous Requests for the Same File
- Growth in HTML Responses
- Increase in Database Reads
- Unusual Changes in the Registry
- Network Traffic Indicating Brute Force Attacks
- Unknown Files, Applications, and Processes in the System
- Signs of DDoS Activity
IOCs can take various forms, each playing a role in different threat detection. Common types of IOCs include:
File-Based IOCs
- Hash Values
- The hash I provided for WannaCry:
2ccef1e9c1b5b7aadcb2c387705fc7c9
is a real WannaCry hash.
Source: Extracted from WannaCry analysis reports.
- The hash I provided for WannaCry:
- File Names and Paths
- The file path used in NotPetya:
C:\Windows\perfc.dat
is a real NotPetya IOC.
Source: Security reports and analysis on NotPetya.
- The file path used in NotPetya:
Network-Based IOCs
- IP Addresses
- The IP address I provided for the Mirai botnet:
185.92.220.195
is a real Mirai botnet C2 address.
Note: It’s important to mention that this address was used in the past, and Mirai attacks have shifted to different addresses over time.
- The IP address I provided for the Mirai botnet:
- Domain Names
- The domain I provided for Emotet:
neon9.top
is a real Emotet IOC.
It appears in the lists of domains used by Emotet.
- The domain I provided for Emotet:
- URLs
- The URL I provided for Dridex malware:
http://httsupply.com/f/docs/Invoice-Oct-47521.doc
has been listed as one of the samples of Dridex in past reports.
However, URLs frequently change and may lose their validity.
- The URL I provided for Dridex malware:
Behavioral IOCs
- System or User Interactions
- Logging in with administrative privileges late at night: This is a general anomaly and is not specific to any attack.
- Suspicious Processes
- The command
vssadmin delete shadows /all /quiet
in WannaCry: This is a real WannaCry behavior used to eliminate the chance of data recovery.
- The command
- Memory or RAM-Based Traces
- Extracting passwords from memory using Mimikatz: This is a real IOC and is widely documented in the cybersecurity world.
Email-Based IOCs
- Phishing Emails
- Email addresses like:
support@meɗium.com
are examples of templates used in phishing attacks; a visually similar character (African “ɗ”) is used instead of the letter “d”. This type of technique is commonly employed to deceive users, but this email address is not a specific IOC example.
- Email addresses like:
Sample Phishing Content:
Subject: Critical Update Needed for Your Medium Account! Sender: support@meɗium.com (This address is one of the examples in phishing cases.) Message Content:
Hello [Medium User],
Due to our recent security update, you need to verify your account. Otherwise, your blogs and entire account may be deleted.
Click the link below to verify now:
Update My Account (This link is not a real IOC)
Please complete this process within 24 hours.
Thank you,
Medium Security Team Header Information
Sender IP address and fake SPF record:
IP:198.51.100.99
(This IP address is given as an example, not a specific IOC.)
Header:Received: from fake.mediumserver.com
(This header format is a sample model, not a specific IOC.)
Malware-Based IOCs
- Command and Control (C2) Indicators
- The IP address I provided for TrickBot:
91.234.35.82
is a real TrickBot C2 address.
Source: TrickBot analysis reports.
- The IP address I provided for TrickBot:
- Exploit Kits
- The URL I provided for Angler Exploit Kit:
http://example.com/landing.php?id=10234
is a general format example, not a specific IOC.
- The URL I provided for Angler Exploit Kit:
System and Log-Based IOCs
- Anomalous Log Entries
- Example of an SSH brute force attack:
Failed password for root from 192.168.1.200 port 22
is a general example but not a real IOC.
- Example of an SSH brute force attack:
- Registry Changes (Windows)
- The registry key I provided for Kovter malware:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\vchost
is a real Kovter IOC.
- The registry key I provided for Kovter malware:
TTP (Tactics, Techniques, and Procedures)
- Methods used by APT29 (Cozy Bear): These are real pieces of information and techniques.
Targeted phishing and PowerShell-based attack tactics of APT29 have been detailed in security reports.
Physical IOCs
- USB devices for Stuxnet: This is a real tactic of Stuxnet.
Access to PLCs (Programmable Logic Controllers) was provided through USB drives.
Detection and Response Process for IOCs
Indicators of Compromise (IOCs) are crucial as symptoms of cyber threats, enabling security teams to detect and mitigate attacks. These indicators are identified through various security tools and methods and are then neutralized through incident response processes.
Identification of IOCs
IOCs are determined through the collection, analysis, and detection of threat indicators from security data. The essential tools used in this process include:
- SIEM Tools: Analyze network and system logs to report suspicious activities (e.g., Splunk, IBM QRadar).
- XDR and EDR Tools: Collect data from endpoints and networks to analyze threats from a broad perspective (e.g., CrowdStrike Falcon, Palo Alto Cortex XDR).
- Network Traffic Analysis Tools: Detect malicious IP addresses, port connections, and URLs (e.g., Zeek, Wireshark).
- Threat Intelligence Tools: Match with global threat databases (e.g., MISP, Anomali).
- Machine Learning-Based Tools: Detect abnormal activities in large data sets (e.g., Darktrace, Vectra AI).
- Forensic Tools: Analyze system files and memory changes to reveal IOCs (e.g., FTK, Autopsy).
Responding to IOCs
Once an IOC is detected, the following steps are taken:
- Isolation of the System: Relevant systems are isolated to prevent the spread of the threat.
- Elimination of the Threat: Malicious files or processes are removed.
- Containment of Damage: Measures are taken to restore affected systems and ensure business continuity.
- Forensic Analysis and Improvement: The source of the attack is identified, and defenses are strengthened against similar attacks.
The integration of these tools and methods allows security teams to detect and respond to threats more quickly and effectively.
Role of IOC Sharing and Threat Intelligence Platforms
Effective sharing of Indicators of Compromise (IOCs) enables security teams to respond to threats more rapidly and effectively. Standard protocols and threat intelligence platforms play an important role in this process.
Standardized Protocols
Protocols used for the sharing and management of IOCs ensure the orderly and understandable transmission of threat data:
- OpenIOC: A format created for the sharing of IOCs.
- Yara: A set of rules used for detecting malware.
- CyboX: A standard language for defining threat data.
- STIX: A format used to represent and share threat information.
- TLP (Traffic Light Protocol): Regulates sharing by determining the confidentiality level of information.
Threat Intelligence Platforms
These platforms collect, analyze, and share threat information, giving security teams a broad perspective on threats.
- AlienVault OTX: A platform that allows users to share open threat intelligence. Ideal for tracking threat actors and accessing up-to-date IOCs.
You can access the OTX platform here. - ThreatConnect: A platform that supports analysis and collaboration on threats, providing comprehensive threat context for enterprise security teams. You can check out ThreatConnect.
- Talos Intelligence: A service provided by Cisco, offering a comprehensive resource for malware, attack patterns, and real-time threat intelligence. You can explore Talos Intelligence.
- VirusTotal: Allows analysis of files and URLs to detect malicious content. It is often used for discovering and comparing IOCs. Visit the VirusTotal platform.
Malware Analysis Tools
These tools used in malware analysis enable in-depth analysis of suspicious content:
- MalwareBazaar: A platform where malware samples are shared. Researchers can download and analyze specific malware samples. Visit the MalwareBazaar platform.
- Hybrid Analysis: A dynamic analysis platform where suspicious files and URLs are analyzed and detailed reports are provided. Learn more about Hybrid Analysis.
- ANY.RUN: Allows users to analyze suspicious files through real-time malware analysis. Explore the ANY.RUN platform.