1

We've received frequent emails from our Threat Intelligence Group with IoCs artifacts, such as file names, hashes, domains/urls. They request us to do preventive measures for the given attributes.

However, I find it very hard to follow their request. Should I block all given IOCs? If so, it is very time-consuming and not effective when it comes to security.

I think that some risk assessments need to be carried out to ascertain whether such IOCs artifacts expose any risk to and also their impact on our environment before applying any applicable preventive measure.

Updated: The IoCs are related to coronavirus and are sent on alternate days or even almost on a daily basis without any relevant risk assessment. Moreover, when I take a look at the actors, they targeted a specific European country, while our entity is located in Asia Pacific. This leads to an apparent mismatch or redundant efforts from our side

sanba06c
  • 103
  • 9
  • 2
    "Time-consuming" is not a good metric for choosing whether or not to block known indicators of compromise. If they are IoCs, then the risk assessment has already been carried out. They are "Indicators of Compromise". It sounds more like you need a more efficient method for responding to the IoCs you get rather than reducing the number you get. – schroeder Apr 16 '20 at 09:59
  • @schroeder, The IoCs are related to coronavirus and are sent almost on an alternate day without any relevant risk assessment. Moreover, when I take a look at the actors, they targeted a specific European country, while our entity is located in Asia Pacific. This leads to an apparent mistmatch or redundant efforts from our side. – sanba06c Apr 16 '20 at 15:34
  • Then I'm not sure we are talking about the same thing. What you describe is not an IoC. What is it that you are getting exactly? – schroeder Apr 16 '20 at 15:39
  • Yeah, it sounds weird to me too. They've provided me with link to malware hunting, and relevant IoC artifacts, such as URLs/domains, hashes, file names, and then recommend us to do preventive measures on security devices. So, I've received so-called IoCs almost every day. – sanba06c Apr 16 '20 at 15:43

2 Answers2

1

Just a question on your statement

"Should I block all given IOCs? If so, it is very time-consuming and not effective when it comes to security."

Wouldn't it be less time consuming to block all given IOCs? I would consider the following steps:

  1. Block all network IOCs (URLs/IP addresses)
  2. Scan network logs for traffic going outbound to network IOCs
    -If there is, proceed with IR
  3. Evaluate each IOCs whether if it affects your organization (Some organizations do use public IP so there is a chance that the IP used internally may be a known IOC, but this can either be ignored or rectified)
  4. Based on evaluation either unblock or continue blocking network IOCs

I see the step of first blocking the network IOCs before taking necessary steps would immediately cut off any further communication between a potential C2 Server and your network. But my solution did not cover files and it's hashes.

Do let me know what you think about this flow

pikachu
  • 11
  • 1
  • 2
    *"Just a question on your statement ... Do let me know what you think about this flow..."* - this is not a discussion forum but a strict Q+A site. Apart from that an IOC is just an indicator of a **potential** compromise. It is not that a compromise has definitely happened. Depending on the source for IOC there are more or less false positives so just simply blocking everything will likely result in blocking innocent traffic too. – Steffen Ullrich Apr 16 '20 at 12:02
  • I agree with your point of view to some extent. On the other hand, as @steffen ullrich mentioned, it could block innocent traffic. – sanba06c Apr 16 '20 at 15:36
1

1) Threat intelligence provided indicators must be expired/decayed, i.e., they must only last so long -- https://www.misp-project.org/misp-training/a.5-decaying-indicators.pdf
2) An open-source platform, MISP, provides the best way of handling indicator sightings -- https://www.circl.lu/doc/misp/sightings/
3) Dovehawk -- https://github.com/tylabs/dovehawk -- can link MISP Sightings to your internal network IPs, FQDNs, file hashes, and creds seen
4) Additional integrations can be performed between MISP and Zeek -- https://wlcg-soc-wg-doc.web.cern.ch/integrations/misp_zeek.html
5) With or without MISP, Zeek can track sightings in its Zeek Intelligence Framework -- https://docs.zeek.org/en/current/frameworks/intel.html -- including limits -- https://github.com/J-Gras/intel-limiter -- and expirations -- https://github.com/J-Gras/intel-expire

Don't block anything: just go search, seek, and destroy. If you want to block, consider matching the characteristics of known executed/installed malware in your environment (because these would be specific to you) and blocking with Suricata IPS or similar. Don't just willy-nilly block IPs or FQDNs because some malware C2 will reside on known-good mail or web infrastructure, plus Fake C2 can lie to you or your threat intelligence feeds.

Maybe block file hashes, though. Your EPP, AWL, and/or EDR solution will support blocking hashes. If you want to bring support for this across a fleet, along with the sightings, check out -- https://zeek.org/2020/03/23/announcing-the-zeek-agent/

If you just want a way of querying the fleet for indicators, I recommend the Velocidex suite -- https://www.velocidex.com -- especially Velociraptor

atdre
  • 18,885
  • 6
  • 58
  • 107