The “IBM X-Force Threat Intelligence Quarterly – 4Q 2015” includes an article discussing indicators of compromise (IoCs), titled “The Power of Indicators of Compromise for Incident Forensics.” They can also be known as observables since they are artifacts that one can observe within the system’s environment.
As that article noted, IoCs are part of the digital evidence that an attack may have occurred. Once alerted to suspicious activity, the network security team tracks down IoCs related to the activity and uses them to assess the threat. In the past, that assessment could be difficult and inconclusive. With the spread of threat intelligence sharing, however, the effort has become considerably easier — though not always more conclusive.
What Is an Indicator of Compromise?
Indicators of compromise come in two basic flavors: activities that alert you to the possibility of an attack and digital artifacts that may indicate an attack. The first category describes anomalous or suspicious activities within your network and systems. Examples include:
- Unusual usage patterns for privileged identities, especially when they access systems they normally don’t or at times of day at which they normally would not be on the clock;
- Unusual traffic patterns between internal systems;
- Unusual traffic patterns or loads from internal to external systems;
- Surges in database retrievals; and
- Geographical irregularities such as remote administrative access to your systems from geographies alien to your operations. For example, you have no assets in Zimbabwe, but someone in Zimbabwe uses administrative credentials to access your network’s assets.
The other category of IoCs includes digital artifacts that can appear on a host computer or network that may indicate compromise or activity by malicious software. Host-based indicators of compromise include things like files, registry entries, named synchronization primitives and processes.
The X-Force Exchange — and this article — focuses on IoCs that appear on the network, including usernames and certificates, IP addresses, domain names, URLs and the names and hash codes of files being transmitted. You find them in your host logs, security and network device logs and security information and event management (SIEM) systems. Once you start researching IoCs, you encounter related artifacts and information such as:
- Disclosed vulnerabilities;
- Malware family names;
- Internet applications;
- Products affected;
- Protection signatures offered; and
- Fixes and updates.
How Do You Use IoCs?
IoCs provide the first concrete targets for your investigation. The investigation might begin due to anomalies in the behavior of a host or some odd network traffic. It quickly leads to IoCs such as the IP addresses, host names and URLs that the suspicious host accessed and the identities of the files it sends and receives.
Indicators can include both artifacts outside your network and those inside. These present two very different investigative paths. If your organization follows best practices, you can very quickly determine whether that back-office host should actually be serving FTP traffic. If not, you may be looking at evidence of the efforts of an attacker who already has a foothold in your systems.
Investigating IP addresses and domain names outside your network and systems present a more difficult task. You need to assess them to determine whether they represent traces of an attack, and that requires external threat intelligence resources that probably are not organic to your systems or operations.
Using X-Force Exchange as an Investigative Aid
That’s where X-Force Exchange comes in. It can help you assess the risk of the indicators you have and can sometimes lead you to other ones you should look for in your environment. Typically, an investigation starts with one or two IP addresses, domain names or URLs. It spreads out from there to assess the chances that those indicators really do signal malicious activity. This early in the hunt, you will probably just use X-Force Exchange to retrieve reputation information about your handful of indicators.
Remember that your searches only include Collections when you have logged in to X-Force Exchange. As an example, let’s say that your logs reported a host name that you don’t recognize, grado.selfip.com, so you search for it in Exchange. The graphic below shows what you would have received.
If your research indicates a potential attack, you can create an Exchange Collection to pull together all the information you find during the investigation — like incident case files without the manila folders. When you create a Collection, it will be private to you. You can share it with other specific X-Force Exchange users or with the world once you create it.
The following graphic show a brand new Collection named New Collection Example (the text appears for this article, not in an actual new collection):
On the right side of the screen, you start to see some of the real power of Exchange. The top area, labeled Private Collection, allows you to manage the visibility of the Collection, including sharing it with other users or the public at large, or even deleting it. When you share a Collection, you can choose whether others may edit or update it.
Just below that, you find a bar with five icons that allow you to:
- Attach files to the Collection;
- Associate reports for up to fifty indicators with the Collection in one operation;
- Download the Collection in STIX format;
- Create a copy of the Collection;
- Link this Collection to an existing Collection.
Below that, the Reports section lists the artifact reports attached to the Collection.
The Version History section lets you see who edited the Collection and when. Clicking on a version lets you see the Collection up to that particular point in time.
The Attachments section shows the files attached to the Collection. They could contain anything from lists of indicators to more in-depth analysis of the components of the attack.
Finally, the Linked Collections section identifies the other Collections to which this one has been linked.
Here’s an example of a real public Collection on X-Force Exchange. It describes a 2012 attack on the security company Bit9.
The power of the Collection begins when you use your new Collection to track an investigation. Search for one of the IoCs you found in your network. As an example, we’ll use the host name grado.selfip.com. The report shows it as high-risk (seven out of 10) and said it is known for banner advertisements. Luckily, the sensor network has not seen malware coming from it. Unluckily, it’s part of a Collection, which means someone has reported it as being involved in something at least suspicious. You definitely want to include this one in your investigation.
A small folder-plus icon in the upper right corner of the report allows you to associate the report with your Collection. A dialog box appears when you click it, and you can type or select the name of your Collection to associate this report with it. When you associate a report with a Collection, Exchange saves a snapshot of the report at the moment you add it. When viewing the Collection, clicking on a report brings up the snapshot. That snapshot also has a button to let you see what the current data on the artifact is in case it has since changed.
As you work through investigation of your IoCs, you can keep notes in the wiki page section of the Collection. You can share the Collection with the members of your team so that you can collaborate on the investigation. Create links to other Collections when you notice indicators that show up in them as well as in your investigation. If it turns out to actually be an attack, you can share the Collection more widely or even make it public to solicit information from others and raise their awareness.
Additionally, Exchange provides detailed reports on disclosed vulnerabilities. When your investigation finds a particular software system attacked, the vulnerability reports can inform you of other products exposed to the same attack, the availability of patches for those products and the IBM Security Network Protection signatures available to ward off the attacks.
Working the Incident
Now take a closer look at the details in the reports for your indicators. The first things you’ll notice are the risk assessment and the reputation categories for the indicator. For IP addresses, you’ll also see an indicator of the geolocation. For domains and URLs, the report will identify any known Internet Applications hosted there. For MD5s, it will tell you what fraction of virus scanners detect the sample as malware.
The reports also give you a history of the changes to the indicator. For IP addresses, URLs and host names, the reports identify any malware known to be associated with the indicator. For example, if the sensors notice a piece of malware traveling as an email attachment, the report will reflect the association between that malware sample, the sending domain (probably forged) and the sending IP address.
You’re looking for risk in the individual indicators, but you also need to see if there’s a trail of risk that connects the indicators. For example, you’re looking for high-risk URLs associated with high-risk IP addresses and the malware associated with either or both. If the indicators appear in other collections, those references can be telling, as well. Perhaps others are suffering the same attack that you are.
Collections in X-Force Exchange can represent several types of information. When researching a real or potential intrusion, a Collection represents an incident. When several incidents use the same infrastructure, tactics and tools, a Collection can corral them to represent the attack. When several attacks share infrastructure, tactics and tools, another Collection can gather information to represent a campaign. And when several campaigns share infrastructure, tactics and tools, yet another Collection can unite them to provide an overview of the villain behind all that activity.
The primary mechanism to recognize these relationships lies in the Link Collection functionality mentioned above. In addition, the Exchange has other collection types, including collections for significant announcements, original malware and Exploit Kit research reports from IBM Security.
An article this short cannot do justice to the possibilities. IBM X-Force Exchange offers incident response personnel a place where they can track and share evidence and discoveries, as well as use intelligence from IBM X-Force and other users to assess the evidence uncovered by their investigation. The Exchange also offers a broader base of real incident, attack and campaign data from actual sources and attacks for researchers looking for patterns to malicious activity.
Please be aware that this article discusses the abilities of X-Force Exchange when the article was written. IBM updates Exchange every two weeks, and it may change by the time you have a chance to experience it. In addition, the Exchange reports live data from an active sensor network. If you make the same query on different days, the later query may contain information that wasn’t available yet the first time.