At CyberPoint, we pride ourselves on mastering and using all effective strategies to prevent, discover, and fix cyber attacks. Over the past decade, a promising approach, the use of Indicators of Compromise (IOCs), has moved from specialized government and military applications into widespread use. Services and collaborative projects like OpenIOC, STIX, MLSEC, TAXII and Alien Vault provide powerful tools to protect you from cyber attacks.
Anyone who is subject to an attack, including a cyber attack, understandably thinks first about ending the assault. Make it stop: discover its strategy, strengthen defenses, disarm the attacker, whatever it takes to return to a state of peace.
But if that's the whole response, it won't be enough. A thorough defense against attack requires a holistic approach. Why did it happen? How could we have found out it was happening sooner than we did? What signs did the attackers leave that we missed? How can we use our knowledge from this attack to fortify ourselves against the next one? Could we have been prepared based on previous attacks against others?
That last question is the basis for much of cyber security. If we only prepare to defend against attacks we have already personally suffered, we're not going to be prepared for very much. But if we can learn from all of the attacks suffered by everyone else, we'll be much better prepared.
This is equally important from the other way around: if you've been cyber attacked, and found and repaired the damage, how can you put what you've learned about that particular attack to good use? Will your new knowledge just go to waste? Helping others isn't just about kindness, although it is a kind thing to do. You have to do business with others, and they with you, and vulnerabilities in their systems can cause problems for yours. And if lots of people and businesses are suffering attacks, business and society in general aren't working smoothly, which harms everyone.
Therefore, it is important for cyber security professionals to research, document, and share Indicators of Compromise, or IOCs. An Indicator of Compromise is anything that shows you there is or has been an intruder on your network or system. It could be a file, an IP address, a URL, a virus signature, or something else.
After a cyber attack, when we discover how it happened and what artifacts it left behind on your system, the next step is to share what we've learned with an online repository that collects IOCs so they can be perpetually available to the public. Various platforms, including OpenIOC, STIX, MLSEC, TAXII and Alien Vault are collecting standardized, machine-readable IOC data. Standardization is crucial so that IOCs can be analyzed quickly and systematically, and used for defense across a wide array of industries and networks.
CyberPoint knows how to efficiently use threat intelligence to strengthen your defenses and fight off cyber attacks. Because of our experience with IOCs, we can apply the lessons learned from millions of attacks on millions of targets to optimize your protection.
We encourage interested parties to review the OpenIOC website at: http://www.openioc.org
For information on where to proceed next, the authors provide a very concise question and answer section in which they provide a response to the logical question:
How do I use OpenIOC?
Their response (taken from http://www.openioc.org):
OpenIOC is what allows MANDIANT Intelligent Response (MIR) to "find evil." If you do not use MIR, we recommend downloading some of the free tools listed on OpenIOC.org to get started, such as IOC Editor or Redline. These tools can be used to manually craft, edit, and compare IOCs, or to analyze a host against an IOC that you have created.
Once you have created an IOC, the OpenIOC format can be used to efficiently communicate threat information in a standardized format to others who are using OpenIOC. Using a standard, machine readable format removes the time delay involved when personnel have to to parse through human-readable intelligence reports.
If you are an advanced user, and/or have access to other methods of access to evidence or indicators to create IOCs, the OpenIOC format can be used to efficiently communicate threat information in a standardized format to others who are using OpenIOC. Using a standard, machine readable format removes the time delay with having to parse through human-readable intelligence reports. Advanced users may wish to check out the new ioc_writer library that goes along with the new draft version of OpenIOC.