Welcome To Our New Weekly Series, Free Open Source Analysis Tools.
This Week's Topic: Free Open-Source Analysis Tools, Why Use IOCs?
Throughout this series, we'll be talking about a Security Analyst’s IOC analysis journey. From discovering relevant indicators and performing the analysis, to finding enrichments and new IOCs. We will also share recommendations for free open-source analysis tools and use cases completed by ThreatSTOP's Security and Research Team, showing how to utilize the various platforms and tools. Let's get started.
What Is an Indicator of Compromise?
An indicator of compromise (IOC) is a piece of forensics data that indicates potentially malicious activity on a host system or network. IOCs such as IP addresses, domains, MD5 hashes, filenames (and more), give important insight in to the type of attack and its impact on the system. Security analysts and researchers collect IOCs and utilize them to research malicious activity, as well as to search for additional indicators that may be related to the same threat.
Analyzing Malicious Infrastructure
Malicious indicators can arrive at the security analyst’s doorstep in various ways. In some cases, the indicator will arise from suspicious activity, such as peculiar network activity or a suspicious email found in a co-worker’s inbox. High quality indicators are also found on sharing platforms and social media, such as community threat exchanges and Twitter posts by security experts. Each indicator can be analyzed using a variety of tools to uncover more information about the threat and its infrastructure.
Using IOCs to Proactively Block Known Threats
Before opting for complex and expensive behavior-based security solutions to ensure network and device safety, there is a question that needs to be asked: have we ensured that already-known threats are being blocked? There are millions of public, free IOCs circling the web, yet the fact that they are openly published does not necessarily mean that they are being utilized for the protection that they can provide. Many times, security solution seekers tend to jump a few steps ahead to very complex technological solutions, while missing out on a huge portion of the threat landscape that should be blocked – known, published threats. IOCs such as IPs and Domain Names can be used to block malicious inbound and outbound traffic, preventing attacks and breaches.
Collect published indicators, analyze them and integrate them in to your security solution to block dangerous known threats, or choose a solution that automates the process, using IOCs and threat intelligence feeds to block these known threats from your system.
If you haven't yet, subscribe to our blog so you don't miss out on this series and other posts from our experts around all things cyber security. For more information about ThreatSTOP and proactively using threat intelligence, check us out below.
Want to find out which FREE analysis tools ThreatSTOP recommends and how to use them?
Check out the next episodes in our series:
Part 2: Threat Exchanges & IOC Sharing
Part 3: Analyzing Threat Infrastructure
Part 4: Enrichments and Connecting the Dots
Part 5: Emotet Banking Trojan Use Case
Part 6: Guildma Information Stealer Use Case
Part 7: APT10 Use Case