RSA Conference Preview: Dreaming of Indicators of Compromise

Today, many organizations are collecting log data from systems, applications and network devices to generate operational statistics and/or alerts of abnormal behavior. However, a major shortcoming of this approach is that valuable security data is often not visible in this log data. This leaves out an important piece of the puzzle: context.Security data is more than big data, it’s morbidly obese data. There is value in the data we are gathering, but the value is in the analysis, not the data itself. There is marginal value in seeing a file hash or IP address in a security log; however, there is an incredible amount of value in identifying that a file hash or IP address is associated with a known attack vector.Adopting cyber threat intelligence can be tough to accomplish for many organizations. Some security tools allow for complex integrations, while other tools allow for little to no integration at all.Should you purchase more security tools to piece together a comprehensive yet disconnected solution? That’s possible, but it will be incredibly expensive. Instead, there are open-source options which can turn your threat intelligence nightmares into dreams.The first step in adopting threat intelligence is deciding on the format for consumption. You might say, but Travis, I want to be able to adopt all of the formats; and you would be absolutely correct.My argument is that we should walk before we run, so I will focus on one of the formats available, which more often than not fits my needs; TAXII, STIX and CybOX from Mitre/Oasis. These formats allow you to define very complex indicators of compromise or indicators of exploit, add context and share them with colleagues.Obtaining the indicators of compromise (IoC) data is the first piece in this complex puzzle. The next piece is being able to store and utilize the IoC data in valuable ways. The tool I prefer to do this with is the Collective Intelligence Framework, maintained by CSIRT.CIF is a great open-source tool that aggregates threat intelligence from various sources online, also allowing you to input your own. The open APIs built into CIF make it an ideal threat intelligence candidate for integrating into existing or new tools.The first tool I integrate into CIF is the ELK stack. Logstash is a log normalization tool, which can parse out the information we need to utilize threat intelligence. A handy translate plugin is used to translate the parsed data into threat intelligence lookups. Any tool that outputs data can now feed into Logstash and get real-time threat intelligence lookups.The second tool I use to integrate into CIF is TARDIS, an open-source IoC parser I released last year. While the real-time detection discussed earlier is great, it’s equally as valuable to look back in time and find attacks against your environment. Using TARDIS, we can ingest IoC data from CIF and look for evidence of compromise and/or exploitation.

Leave a Reply