January 3, 2019 • Adrian Porcescu
Editor’s Note: The following blog post is a summary of a presentation from RFUN 2018 featuring Adrian Porcescu, EMEA professional services manager at Recorded Future.
Good or bad, indicators beget indicators.
Often, indicators are seen only as lists of IPs, domains, and so on, without an associated context. These lists can contain a high number of false positives or otherwise irrelevant data, wasting the time of analysts trying to decipher them. In order to make indicators truly useful and timely, enrichment is key.
Here, we will look more closely at how we can make better use of indicators and their associated context in order to transform them into good indicators of compromise. We’ll also see how we can make sure that we are not starting our automation or investigations with a bad indicator of compromise — something that will waste our time and likely lead to unhelpful context — as bad indicators will beget further bad indicators. In addition, we’ll look at how cyber threat intelligence provides that crucial context needed to transform raw data into true indicators of compromise.
There are several reasons to look at indicators of compromise instead of focusing on a higher part of the Pyramid of Pain, such as understanding the tactics, techniques, and procedures (TTPs) of threat actors:
We’ll start with some examples of indicators that are usually considered bad:
Most of the time, the following IPs are whitelisted by default, as they are considered bad indicators that should not be used for detection of potential threats. After doing some analysis, we have identified the following (at the time of this analysis):
In addition to the above finding, on a daily basis, we have found that there are tens or even hundreds of malicious samples that are submitted to VirusTotal that make use of Google DNS services.
Therefore, there is indeed a large number of potential threats that can be identified by using these indicators for detection purposes. A simple lookup within the Recorded Future platform for malware related to these indicators finds several families that make use of such services. The results of the advanced search in Recorded Future enables pivoting to further related entities, like threat actors or operations, that make use of such malware.
There are also several reasons why potential threats are making use of Google DNS services:
These types of requests also suggest that connections to Google DNS services are happening in the early stages of infection by malicious samples — and being able to detect an indicator earlier on in an attack is always desirable from a defender’s point of view.
Analysis of three of the most used services of this type revealed several interesting facts. Many malicious samples use the following services:
Several important categories and families of malware are making use of the following services in order to obtain the infected system IP address for further communication:
Both of these types of services can help identify a large number of malicious samples, even during early stages of infection. To use them, an organization needs to have a good understanding of their internal behavior. This will allow them to apply detection based on indicators related to Google DNS or public IP identification services against telemetry from their network that should not be using these services.
That means that one of the key aspects of turning an indicator into an indicator of compromise is the organizational context, which should guarantee whether a certain connection to a legitimate service is being made due to relevant, business-related reasons — if not, it can be an indication of a potential infected system.
Taking the example of 126.96.36.199, knowing that the owner of this IP is Google, we can decide whether we could apply it for detection by understanding what areas of our organization do not have Google as a service provider for DNS resolution. Pivoting further, we understand that in order to apply the organizational context, we need to have proper context provided around the indicators themselves.
If we take a step back and focus on what an indicator is, we can determine that it has two main components: data and context. The essence of an indicator is the data — something like an IP address or a domain. But that’s just data. It needs context from both inside your network and external sources to be a useful indicator of compromise:
By utilizing Intelligence Cards in the Recorded Future platform, you can view information shown below to quickly find context on any indicators.
As “context is king,” we recommend not only using indicator context in all phases of the cybersecurity lifecycle, but also incorporating internal network data as early as possible to develop context unique to your organization, which can more readily transform a bad indicator of compromise into a good one.
Context is critical and should be provided by threat intelligence vendors or requested by the consumers for every indicator. Here’s a list of recommendations to follow:
To learn more about how threat intelligence can help enrich indicators and ultimately save analysts valuable time, request a complimentary demo today.