ThreatSTOP Blog

ThreatSTOP Free Open Source Analysis Tools Series. Part 1: Why Use IOCs?

Written by Ofir Ashman | July 17, 2019

Welcome To Our New Weekly Series, Free Open Source Analysis Tools.

This Week's Topic: Free Open-Source Analysis Tools, Why Use IOCs?

Throughout this series, we'll be talking about a Security Analyst’s IOC analysis journey. From discovering relevant indicators and performing the analysis, to finding enrichments and new IOCs. We will also share recommendations for free open-source analysis tools and use cases completed by ThreatSTOP's Security and Research Team, showing how to utilize the various platforms and tools. Let's get started.

What Is an Indicator of Compromise?

An indicator of compromise (IOC) is a piece of forensics data that indicates potentially malicious activity on a host system or network. IOCs such as IP addresses, domains, MD5 hashes, filenames (and more), give important insight in to the type of attack and its impact on the system. Security analysts and researchers collect IOCs and utilize them to research malicious activity, as well as to search for additional indicators that may be related to the same threat.

Analyzing Malicious Infrastructure

Malicious indicators can arrive at the security analyst’s doorstep in various ways. In some cases, the indicator will arise from suspicious activity, such as peculiar network activity or a suspicious email found in a co-worker’s inbox. High quality indicators are also found on sharing platforms and social media, such as community threat exchanges and Twitter posts by security experts. Each indicator can be analyzed using a variety of tools to uncover more information about the threat and its infrastructure.

Using IOCs to Proactively Block Known Threats

Before opting for complex and expensive behavior-based security solutions to ensure network and device safety, there is a question that needs to be asked: have we ensured that already-known threats are being blocked? There are millions of public, free IOCs circling the web, yet the fact that they are openly published does not necessarily mean that they are being utilized for the protection that they can provide. Many times, security solution seekers tend to jump a few steps ahead to very complex technological solutions, while missing out on a huge portion of the threat landscape that should be blocked – known, published threats. IOCs such as IPs and Domain Names can be used to block malicious inbound and outbound traffic, preventing attacks and breaches.

Collect published indicators, analyze them and integrate them in to your security solution to block dangerous known threats, or choose a solution that automates the process, using IOCs and threat intelligence feeds to block these known threats from your system.

 

If you haven't yet, subscribe to our blog so you don't miss out on this series and other posts from our experts around all things cyber security. For more information about ThreatSTOP and proactively using threat intelligence, check us out below.

       

 

Want to find out which FREE analysis tools ThreatSTOP recommends and how to use them?

Check out the next episodes in our series:

Part 2: Threat Exchanges & IOC Sharing

Part 3: Analyzing Threat Infrastructure

Part 4: Enrichments and Connecting the Dots

Part 5: Emotet Banking Trojan Use Case

Part 6: Guildma Information Stealer Use Case

Part 7: APT10 Use Case