Detection and management of IOCs

IOC (Indicators of Compromise) is an industry standard that makes it possible to describe certain conditions on IT systems which, if met, could compromise the security of an organization. The concept is similar to that of a signature file, with the main difference being that the format is open. This enables collaboration and the exchanging of security intelligence and allows administrators to easily amplify the detection capabilities of Advanced EDR.

This chapter describes the tools available in Advanced EDR for importing and exporting IOCs, looking for IOCs on computers, and rapidly viewing the results.

For more information about the Authorized software module, click the following links:

Creating and managing settings profiles: Information about how to create, edit, delete, or assign settings profiles to the computers on your network.
Accessing, controlling, and monitoring the management console: Managing user accounts and assigning permissions.
Advanced protection: Configuring Lock and Hardening modes.

IOC concepts

In order to understand the processes involved in the use of IOCs, it is useful to be familiar with concepts related to the technologies that support this industry standard.

IOC (Indicator of Compromise)

Indicators of Compromise are descriptions (or rules) of patterns of behavior that could indicate a cyberattack. Unlike a signature file, which has a similar purpose, IOCs have an open format that enables the exchange of security intelligence between the various players involved (vendors, consumers, users, etc.).

There are several standards for describing suspicious patterns of behavior, the most widespread of which is STIX.

STIX (Structured Threat Information Expression)

This is a JSON-based language which describes security threats in a structured and interrelated way for better readability and understanding. It is based on graphs that intuitively represent objects and their relationships.

Each IOC contains a number of entities and relationships that describe in detail an ‘artifact’ or indicator that identifies the attack: IP addresses or domains that could host C&C (Command & Control) servers, MD5 or SHA hashes of files suspected of containing viruses and other threats, etc.

STIX also enables you to leverage the information described in other formats, such as YARA rules.

Advanced EDR is compatible with the STIX 2.x standard.

YARA (Yet Another Recursive Acronym)

YARA is a language based on rules that facilitates the creation of descriptions of malware families according to text or binary patterns. These rules consist of a set of strings and boolean expressions which determine their logic and are used in searches on files that are suspected of being infected.

An IOC can include only one YARA rule in its definition, although this rule can be as complex as is required to detect entire families of malware.

Other IOC formats

There are currently several IOC open formats for the exchange of security intelligence which provide similar features. These include OpenIOC and TAXII, among others. Additionally, an IOC format may contain versions that are not compatible with each other, as is the case with STIX 1.x and 2.x.

In order to reuse IOCs described in formats that are incompatible with Advanced EDR, there are free tools that can make the required conversion in order to convert any IOC into one in STIX 2.x format.

Results generated from the search for IOCs

In order not to overload network computers, Advanced EDR restricts the depth of complex searches for IOCs by applying the following rules:

• For simple IOCs or IOCs with one YARA rule: These look for a single attribute with a specific value. These IOCs return up to 10 results per computer, at which point the search stops.

• For complex IOCs: These look for several attributes or an attribute with several values. These IOCs return the first result found on each computer, at which point the search stops.

Given this restriction, the number of results displayed in the lists and widgets may not be complete, especially in the event of massive infections with many files affected on each computer on a network. In such cases, it is guaranteed that at least one result from each computer is displayed, without affecting performance.

IOC workflow

Follow this workflow to successfully identify indicators of compromise on your network:

• Check that the user account used to access the console has the required permissions. See section IOC management for more information.

• Import third-party IOCs or create them using the wizard. See section IOC management for more information.

• Create an IOC search task. See section Searching for IOCs on the network for more information.

• View the IOCs found in the results of the search task, through the list of IOCs, or with the widgets. See sections Searching for IOCs on the network and IOCs dashboard/widgets for more information.