Indicators of compromise Lifecycle management

Threat Intelligence (TI) platforms work with knowledge about cyber security threats: attacks, attackers, targets, motivations, tools, malware, vulnerabilities and indicators of compromise. This knowledge must be fact-based – verified, timely, and sufficient to make decisions on adequate protection measures.

In a general sense, an Indicator of Compromise (IoC) is a digital artifact that clearly indicates the described object’s potential maliciousness and/or the fact that the information system has been compromised.

In the process of working with TI data, the following indicator types can be used as:

  • IP addresses
  • domains
  • files
  • links
  • hash sums of files
  • email addresses
  • bank cards
  • accounts

The life cycle of an indicator of compromise

Each indicator has its life cycle, i.e. the time during which it preserves its malicious activity with a high probability. Some indicators can be “dangerous” for several days, some – for months. When its lifetime expires, the indicator becomes irrelevant, in other words, it becomes obsolete.

The indicator life cycle starts when a cyber security analyst or some security tools detect the threat. Malicious activity signs, that is, any objects and data associated with a detected threat, indicate that the system has been compromised and are considered indicators of compromise. The collected data streams, together with or sometimes without additional context, are assembled in so-called feeds and routinely distributed by various Threat Intelligence data providers.

The challenge is that the sources do not always provide unique cyber intelligence data but may also supplement and partially duplicate each other’s data. That said, it is important to process incoming data streams in time and keep track of all changes so that the analyst is only working with truly relevant information. Specialized platforms, such as the Defensys Threat Intelligence Platform (Defensys TIP), can be used to simplify the process of working with Threat Intelligence data. Such platforms allow automatic collection, normalization, and storage of data from various sources in a single database.

When using the Defensys TIP, the indicator goes through the following processing steps:

  • Obtaining the indicator by the Defensys TIP from Threat Intelligence data providers;
  • Enriching the indicator with additional context. Enrichment services can be used to obtain additional information about indicators, such as ASN, geolocation binding, list of subdomains for the malicious domain, DNS change history, etc.;
  • Loss of the indicator’s relevance (obsolescence).

IoC can go through all these stages several times, fully or partially.

It is important to keep in mind that indicators of compromise do not exist in a vacuum, each of them is associated with some kind of malicious activity. In particular, IP addresses and domains can belong to botnets or C&C servers.

During an incident investigation, indicators of compromise are considered in conjunction with other entities – malware, vulnerabilities, malicious groups, etc. For example, if analysts discover a new instance of malware and report on its activity, the report should include indicators of compromise associated with it, such as hash sums of malicious files, malicious URLs, etc. If everything is clear with the report, why are organization-specific indicators of compromise needed? To answer this question, let’s turn to the famous “pyramid of pain” proposed by analyst David Bianco.

The pyramid describes the difficulty levels of detecting different types of indicators of compromise and illustrates how much “pain” their detection can bring an attacker. Knowledge of individual indicators of compromise is relatively easy to apply, such as detecting and blocking a malicious IP address. However, blocking an IP address will not do much damage to the cybercriminal – he might just start using another one. At the same time, determining which tools the intruder is using is difficult but also quite “painful” for the cybercriminal himself. The indicators’ detection in the infrastructure indicates that malicious activity is probably already underway against it.

The Defensys TIP detection engine can be used to perform reactive and retrospective searches for indicators in the infrastructure, thereby reducing the time the attacker can be present in your network. The most effective way to accomplish this task is to use the Defensys TDP (Threat Deception Platform) – IT infrastructure simulation platform for cyberattack detection, which can also send indicators of compromise to the Defensys TIP. In addition, when the infrastructure has already been exposed to malicious activity, the Defensys TIP users can automate the process of creating and responding to information security incidents through seamless integration with the Defensys SOAR system.

Finally, using integrations with cyber security tools, it is possible to take active actions against malicious activity at the level of security tools themselves, e.g. blocking malicious URLs. Thus, working with IoCs allows building an effective system to counteract cyberattacks, both proactively and at the stage when the infrastructure has already been compromised.

Obsolescence of an indicator of compromise

Over time, an indicator of compromise loses its relevance, that is, becomes obsolete. The Defensys TIP platform has a mechanism that allows applying different approaches to indicator obsolescence so that only up-to-date indicators are analyzed and further processed. The value of the obsolescence mechanism is configured for all indicators received from the corresponding source.

There are two settings options in the system:

  1. Automatic obsolescence mechanism

As soon as an indicator is no longer mentioned in any of the sources, such indicator starts to be considered obsolete. At the same time, if any source during the next update sends data about the previously obsolete indicator, such indicator becomes up-to-date.

  1. User settings

The user can independently set the IoC obsolescence time from the date of creation of this indicator or the date of its last modification.

Indicator maliciousness or its potential danger to a system is reflected by such notion, as an indicator rating. The calculation of an indicator rating is also based on the concept of indicator obsolescence. Through the system settings, the Defensys TIP user can specify the time during which an indicator loses its maliciousness, and, consequently, both its rating and the speed of rating degradation decrease.

Thus, two approaches to indicators losing their maliciousness can be distinguished that the Defensys TIP provides. The user can directly affect the indicators obsolescence through configuring the obsolescence policy, as well as through configuring the parameters involved in calculating the rating. In addition, by managing the obsolescence process, it is possible to significantly reduce the number of indicators to be handled by system users, thereby saving time and resources for both specialists and the company as a whole.

In the process of responding to cyber incidents, managing the lifecycle of indicators of compromise is a very important part of the work. After all, it will directly affect actions and decisions against malicious activity. A responsible attitude towards lifecycle management will ensure that all the information used in the work is, with a high degree of probability, reliable and up-to-date.