IOCs - caitlinmallen/TechWiki GitHub Wiki

Detection Mechanisms, IOCs, and Signatures

  • Detection phases
    • When the incident happened, the IR team's first action is to collect the data to identify the anomalies and from where the incident came
    • The detection phases
      • Knowing your detection capabilities
      • Understanding adversarial tactics
      • The applying those capabilities to detect when an adversary acts
  • Detection Mechanism
    • Process of parsing through the data in order to detect the abnormal behavior, whether in the system or in a network
    • OR a function of software that parses through collected data in order to generate alert data
    • The analyst must be careful with the detection mechanisms that can be placed in the system and feeding them appropriately
    • It is useless if they're not properly fed or cared for (Development, Maintenance, and Implementation of IOCs and signatures)
  • Types of Mechanisms
    • Signature based mechanisms
      • Reputation-based detection
    • Anomaly-based detection
      • Honeypot based detection
    • Mostly start with a signature-based mechanism and then move to something more advanced like anomaly-based detection
  • Signature Based
    • Oldest form of intrusion detection and combs through data to find matches for specific patterns
    • Patterns might be
      • Simple pattern – IP Address, text string, etc.
      • Complex patterns – Particular number of null bytes occurring after a specific string using a specific protocol
    • When these patterns are broken in independent pieces of data they become IOCs
    • When they are expressed in the platform-specific language of a detection mechanism they become signatures
    • The reputation-based detection is a subset of Signature based detection
      • Attempts to delete communication between friendly hosts on the network you are protecting and hosts on the Internet believed to be malicious
  • Anomaly based detection
    • Observing network occurrences and discerning anomalous traffic through heuristics and statistics
    • It can recognize attack patterns that deviate from normal network behavior
      • More powerful but more difficult to implement
    • Honeypot-based detection mechanism is a subset of anomaly-based detection
  • Honeypot Based Detection
    • Used for educational purposes by collecting malware and attack samples for research with detection applications
    • Works by configuring honey pots to mirror production systems and contain know vulnerabilities but no confidential data
    • Configured for extensive logging\
  • What is an IOC?
    • Any piece of information to describe an intrusion and is platform independent
    • Artifact observed on a network or host that with high confidence indicates a computer intrusion
    • Signatures can contain one or more IOCs
    • Types
      • Simple – IP Addresses, hash, mutex
      • Complex – Set of behaviors
  • IOC Classification
    • Host-based
      • Registry key, file name, process name, mutex
    • Network-based
      • IP address, certificate hash, domain name
  • Indicator and Signature Evolution
    • Immature
      • Can detect some attacks but if there's a variant of the attack it can't pick up on the attack
    • Mature
      • Can detect variants of attacks
    • Retired
      • No longer needed