🔍

Understanding Indicators of Compromise in Cybersecurity

Aug 24, 2024

Introduction to Indicators of Compromise Webinar

Facilitators and Overview

  • Facilitator: Jake Zaskin
  • Co-facilitator: Joe Goodwin
  • Purpose: Introduction to Indicators of Compromise (IOCs) to identify and manage cyber threats.

Webinar Objectives

  • Understand the importance of IOCs in cybersecurity and incident response.
  • Define IOCs and discuss their significance.
  • Explore the categories and examples of IOCs.
  • Introduce the MITRE ATT&CK framework for analyzing IOCs.
  • Provide resources for identifying, documenting, and sharing IOCs with other organizations.

Key Concepts

What are Indicators of Compromise (IOCs)?

  • Definition: Clues or forensic artifacts indicating a potential intrusion or compromise.
  • IOCs reveal:
    • Tactics, Techniques, and Procedures (TTPs) used by threat actors.
    • Severity and location of the compromise.
    • Potential adversaries involved.

Importance of IOCs

  • Essential for identifying advanced persistent threats (APTs).
  • Help in forensic identification of attacks and vulnerabilities.
  • Aid in incident response activities: Early detection, training, vulnerability assessment, and information sharing.

Examples of IOCs

  • Common Indicators:
    • Unusual outbound network traffic.
    • Increased database read volume before outbound traffic.
  • NIST Definition: Forensic artifacts identified on organizational systems at the host or network level.

Historical Reference: Island Hopping Campaign

  • Strategy used by Marines in WWII to advance by targeting less defended islands.
  • Similar to how threat actors compromise networks layer by layer.

Types of IOCs and Usage

  • Categories: TTPs, malicious IP addresses, hash values, and others.
  • Application: Used in monitoring systems and scanning networks for unusual activities.

Pyramid of Pain

  • Framework describing the types of IOCs and their difficulty in collection and application.
  • Higher levels of the pyramid indicate methods harder for adversaries to change and thus more effective for defense.

Advanced Persistent Threats (APTs)

  • Definition: Cyber attacks by criminals or nation-states aimed at prolonged data theft or surveillance.
  • Characteristics:
    • Specific targets and goals.
    • Use of custom malware and sophisticated techniques.
  • Examples include APT-12 (China), APT-33 (Iran), and APT-28 (Russia).

MITRE ATT&CK Framework

  • A structured framework to describe how attackers target and exploit vulnerabilities.
  • Maps TTPs to known APT groups.
  • Can be used to simulate threat actors and identify vulnerabilities.
  • Example: Stuxnet attack on Iran's nuclear facilities.

Tools and Resources for Detection

  • CISA Alerts: Tools developed to help identify signs of APT compromises.
  • Demonstration: Use of Security Onion and Wireshark for syslog analysis and network traffic monitoring.

Conclusion

  • Emphasis on the importance of IOCs in enhancing an organization’s cybersecurity posture.
  • Encouragement to utilize provided resources for further understanding and application.
  • Resources for Further Learning:
    • DHS Cybersecurity Communications
    • MITRE ATT&CK Framework
    • US CERT alerts and bulletins

Participation and Interaction

  • Polls conducted to assess audience experience with digital forensics and the MITRE framework.
  • Certificate of completion available for participants.

Full transcript