Sandboxes are used for automated extraction of indicators of compromise (IoCs) that can be used to write signatures. Can this signature then be used, for example, on an IPS system to block certain actions?
Asked
Active
Viewed 340 times
2
-
It depends on the IoC, the action, the signature and the IPS, but yes. Can you expand on which part you were curious about? The IPS part, the blocking part, the action part? – schroeder Nov 22 '18 at 13:36
-
My confusion is that you could read the news, determine an IoC from the article, then configure an IPS to block that action. – schroeder Nov 22 '18 at 13:39
-
To specifically and immediately answer your question: yes, IOCs can be used to create signatures for your IPS. How can this be done? Well, IOCs are breadcrumbs attackers leave and organizations gather up to share with each other. There are atomic indicators in an IOC like IP, port #, username, filename, etc that you can configure your IPS to reject. There are host-based or network-based indicators. Because of all the types of IoCs, your IPS won't be the only tool you use to guard against attacks, though a good one of course. – xxx Jan 02 '22 at 14:31
1 Answers
1
After reading your follow up comment - yes, you can and should read news to use indicators published. However, discovering and actioning an IoC yourself is also very important.
The 'Pyramid of Pain' outlines different types of indicators, and groups them by the ease with which an attacker can change them. For example, a hash published in threat intel or VirusTotal can be altered very quickly by an agile attacker. Using a sandbox can provide you agility to meet fast changing threats.
Additionally, some victims may not want the IoC they discovered and blocked to be shared. If it is very targetted malware, the risk of someone publishing the IoC can mean the attacker then alters their TTPs and the victim will need to start all over again (detect and block another IoC).
xXhRQ8sD2L7Z
- 111
- 2