Threat hunting: IOCs and artifacts
Unusual behavior of information technology assets within an organization may be a hint that the organization is undergoing a cyberattack. Threat-hunting teams will often assess the environment for commonly-known and documented threats by implementing Indicators of Compromise (IOCs).
This article discusses IOCs and their artifacts, examines sources where IOCs are most likely to be found, and compares IOCs with Indicators of Attack (IOAs). Finally, we will see how hunters can use IOCs to improve the detection of, and response to, malicious activities within the organization.
Indicators of compromise and artifacts
Indicators of compromise (IOCs) can be defined as “pieces of forensic data, such as data found in system log entries or files, that identify potentially malicious activity on a system or network.” Threat hunters will often consult IOCs to determine the locations of possible data breaches or malware infections within the organization.
“Artifacts” refer to the common pieces of information which are of interest to the hunter. They include items such as logs, configured services, cron jobs, patch states, user accounts and others. Locations of artifacts vary widely, which significantly increases the regions where IOCs may be searched for or obtained.
There are different sets of artifacts, which can be grouped as follows:
Due to the fact that most malware communicates with external entities through the network, hunters will often scour that network for artifacts that could contain malicious content. Hunters will pay attention to the listening ports utilizing TCP/UDP ports such as SMTP, HTTP, FTP and proxy servers. External monitoring servers may also be set up to aid in traffic monitoring. Hunters will also have various tools that perform:
- Session recording: TDIMon is an example of a Windows-based utility that can be used to record incoming and outgoing sessions. Argus is also a Unix tool capable of recording network flow data.
- Packet capture: Hunters may use various tools for capturing data packets. Windump, Wireshark and Ethereal on Windows and Tcpdump, Ethereal and Wireshark on Linux/Unix can be used to record all network traffic data.
- Network state monitoring: The current network state may be monitored by tools such as Tcpvcon, Netstat and Fport on Windows systems and Isof and Netstat on Unix/Linux environments.
Hunters will also scour endpoints for various artifacts. The sources of these are numerous and often available. Let’s look at two that are based on the registry and the file system.
The Registry: Hunters are normally interested in the registry because most tools and malware interact and store configuration information within it. Information that can be obtained includes run-time configuration, time zone information, TCP/IP configuration, installed software and local language. Hunters will mostly discover altered registry keys and values to enable automatic malware execution or disable the firewall and antivirus. Hunters will make use of tools such as RegMon and RegShot to perform real-time registry monitoring and create before/after snapshot comparisons.
The File System: Hunters often look for suspicious activities performed by malware within file systems, such as suspicious reading (e.g. obtaining run-time configuration), suspicious writing (e.g. dropping files), deletions and destruction of information.
Scouring the network and IT infrastructure by identifying IOCs allows hunters to detect attacks and act swiftly, thus preventing breaches from occurring. Threat-hunting departments thus limit damages by stopping attacks in early stages. Some of the most common examples of IOCs include:
- Unusual outbound network traffic: It is often quite simple for system administrators to discover a large amount of unusual traffic exiting the network. This could be for a number of reasons – malware communicating with command-and-control servers outside the network, or a threat agent exfiltrating large amounts of data. Hunting teams can set up outbound traffic indicators that work in conjunction with internal monitoring tools to issue an alert in the event that an unusual level of traffic is detected. Hunters can then use the collected information to zero in on compromised systems and sometimes even prevent the attack before serious damage is suffered.
- Anomalies in privileged-user account activity: Attackers and malicious agents often go for the highest privileges on compromised systems. Superuser privileges are coveted for their unrestricted access to systems and applications within organizations. Hunters are therefore constantly on the lookout for unusual account behavior that could suggest a compromise. Suspicious behavior indicators may include time of suspicious activity, systems accessed, and type or volume of information accessed.
- Geographical irregularities: Unusual traffic is not only restricted to the amount of bandwidth surges noticed within the network, but also to the regions that the traffic is originating from. For instance, when certain infrastructure receives logins from different geographical regions, then it might be a good time to make some reviews. Traffic from locations out of the norm of the daily logins might warrant an alert. Several possibilities could be on the table – for instance, it could be that data from within the organization is being exfiltrated to the discovered geographical region, or that accounts have been compromised and the threat actor is acquiring intelligence.
- Other login red flags: Sometimes system administrators might discover a set of unusual behaviors mostly centering around authentication and authorization. For instance, multiple failed logins might be observed, indicating a possible brute-force attack; or there could have been multiple successful logins in one go, suggesting a successful pass-the-hash attack within the network. Similarly, logins that are performed at odd hours may indicate malicious intent, especially when performed on sensitive or key systems within the network.
- Swells in database read volume: A common example of this would occur where database admins discover massive database activity, such as entire database dumps, that would result in large traffic transactions. This can suggest that malicious actors have gained enough access to the system to extract the database.
- Suspicious registry or system file changes: Once malicious agents have gained access to a system, a common method of maintaining access is by executing changes to the registry. This could result in tactics such as registry key changes, creation of values, deletion of entries or new locations of executable files and folders being defined. Hunters will therefore create a map of the original registries within systems and use this as a basemap that can be compared to a supposedly-compromised machine, helping to determine the actions of the threat actors.
IOCs, however, are not limited to the above only. Security researchers or groups such as OpenIOC, STIX and TAXII will often spend countless hours documenting IOCs and their associated threats. They then share this information to improve incident response and computer forensics among security communities to standardize IOC documentation and reporting.
How to search for new indicators of compromise
Hunters must employ a variety of different techniques to hunt for threat agents. One of the simplest, most common methods is IOC searching. IOC searching can be defined as the process of querying data for specific artifacts. Although it can be performed by most common tools, it’s worth noting that IOC searching may not always be the most effective method because it cannot produce outliers in the result set. In other words, hunters will get exactly the results they searched for, even if the search was not based on full information.
Below are some sites where some important resources can be found:
- Critical Stack Intel Feed – Critical Stack Inc. has created this platform as a 100% free intelligence marketplace, optimized and ready to be integrated with the Bro Network Security Monitor.
- APTnotes – Kiran Bandla is a Security Engineer who has created a repository of publicly-available papers and blogs (sorted by year) related to malicious campaigns/activity/software that have been associated with vendor-defined APT (Advanced Persistent Threat) groups and/or tool-sets.
- Malware Domain List – Malware Domain List was designed as a community project with the intention to catalog compromised or dangerous domains. Included alongside the list of domain URLs and IPs is a description of the type of threat – for instance, a Ransomware or Trojan download – as well as the registrant, reverse look-up and ASN. The website is updated roughly once every two weeks.
- Internet Storm Center Suspicious Domains – The team at Internet Storm Center has compiled weighted lists based on tracking and malware lists from different sources. Domains are categorized depending on the level of sensitivity – this being either low, medium, or high sensitivity.
- TechHelpList – From the constantly evolving nature of phishing and spearphishing attacks, the team at TechHelpList has compiled a list of malware-carrying mails, including commonly-used subject lines. The list is updated on an as-needed basis.
- Malware Traffic Analysis – Brad at Malware Traffic Analysis manages a blog on malware and exploit kit traffic. He updates his blog almost daily, with very timely analysis of new malware infections and shares recent projects on malware samples on his twitter feed.
- ThreatMiner – Hunters can visit the ThreatMiner website in order to perform data mining for IOCs. The website’s main function is to free analysts from data collection and provide intelligence analysts with a portal on which they can carry out their tasks, from reading reports to pivoting and data enrichment – all on a single portal.
- Threat Crowd – Threat hunters can also use the Threat Crowd search engine to look up artifacts related to threats. Results are presented through a graph interface that enables hunters to perform comparisons between different artifacts.
IOC searching is an art that requires the hunter to make finely-tuned searches to reduce the chances of causing a result overload. An overly-broad search will result in too many returns, inhibiting the hunter from performing a realistic assessment.
What are the differences between IOCs and IOAs?
As noted in a piece in the Digital Guardian, IOCs and IOAs can be differentiated by their differences of focus on activities of our attackers while the attack is in progress. Indicators of Compromise (IOCs) pertain to things in the past – think of them as clues about events that have already happened – while Indicators of Attack (IOAs) can help us understand the current situation, identifying the how and why of events that are taking place in the moment. Analyzing IOAs and IOCs allows savvy hunters to hunt security incidents or threats in something resembling real-time.
Can indicators of compromise be utilized to accelerate detection and response time?
Through the collection and monitoring of IOCs in real time, threat-hunting teams are often in a better position to detect security incidents that might have escaped detection by other security tools at the organization. Active monitoring of the environment enables hunters to determine threat actors’ actions and malware behavior, and pinpoint the patterns used. These may then be noted and used to update the organization’s security policies and tools, shielding the organization from future attacks.
Afterwards, organizations can document these findings to share with other companies. This will help multiple threat-hunting teams with the aim of eventually automating the detection, prevention and reporting of security incidents.
The inclusion of IOCs within the threat-hunting process is one critical effort toward securing the organization against malware and cyberattacks. It should be encouraged through continuous extensive research to ensure threat-hunting teams are abreast of the latest cybersecurity trends.
In this article, we have taken a look at various Indicators Of Compromise and artifacts (together with the tools used for assessment), how they compare with indicators of attack, the sources that can be used to scan for new IOCs online, and discussed how IOCs can be used to improve detection and response times of threats within organizations. It is important to note that the information on IOCs and artifacts is extensive and not limited to the data covered in this article. This article serves as a starting point for every individual working in a threat-hunting team who has questions about IOCs and their associated artifacts.
- What are Indicators of Compromise?, Digital Guardian
- 9 Great Sites for IOC Searching, LinkedIn
- Top 15 Indicators Of Compromise, Dark Reading
- Kevin J. Houle, “Artifact Analysis,” FIRST