IOC Lifecycle & Enrichment
One issue with cyber-security today is the outdated IOCs (Indicators of Compromise). For example, an IP address used to host a Command & Control server today, could host a legitimate service tomorrow. This means that there needs to be some sort of “IOC lifecycle”. Below is the lifecycle I usually propose for this.
The above works for the majority of the cases, but not for everything. Here is brief explanation of how this lifecycle of an IOC is split among those four different stages.
- Malicious activity: The first stage is that some sort of malicious activity is identified. This could be anything from a new malware campaign, a spear-phising attack, etc.
- IOC generation: This is the generation of unique artifacts/identifiers of this specific attack such as malware sample hashes, email addresses, IP addresses, domain names, etc.
- IOC use: The generated IOC is now integrated with the security solutions of the organization and is actively used to detect if this indicator is present.
- Archiving: After a defined expiration threshold the IOC is archived so that it is still searchable for investigations, but it has very low scoring compared to new IOCs when it comes to detection.
The above works for common workflows but when we introduce a Cyber-Threat Intelligence (CTI) capability then context is equally important as content. Meaning that seeing that 2 years ago IP address 1.2.3.4 was “bad” is not as important as seeing that IP address 1.2.3.4 was hosting a ZeuS Command & Control server and it is associated with an internal incident response case number. For this reason, the extended version of my initially proposed IOC lifecycle to include CTI capability is the one you see below.
The only difference is that before the archiving stage, there is an enrichment stage. This stage ensures that the IOC includes as much context as possible in order to provide value to subsequent investigations.
xorl %eax, %eax 
Leave a comment