For a long time now, I’ve been talking about how to detect incidents early by identifying “attack precursors” and other leading indicators of breaches and security compromises.  As a matter of fact, Tripwire’s “Cybercrime Controls” were designed to do just that and are being continuously improved.

For example, our Cybercrime Controls continuously monitor and detect things like:

  • - people trying to cover their tracks or obscure their presence on your systems;
  • - signs of ARP cache poisoning, ARP spoofing, and other man-in-the-middle attacks;
  • - suspicious changes in listening ports, system services and drivers, startup tasks, and scheduled tasks;
  • - anomalous permissions changes;
  • - changes in local firewall configurations and local user accounts;
  • - changes in DNS servers or IP routing;
  • - symptoms or presence of root kits;
  • - and many others…
All of these items can provide early indications of bad actors, and help you identify and contain security incidents before they result in loss.

I hereby Dub Thee “Indicators of Compromise”

I’m pleased to see that those precursors are now getting the attention they deserve and thanks to security firm Mandiant, they now have a common name:  “Indicators of Compromise.”

Indicators of Compromise, or IOC’s, are being actively discussed and pursued in the broader infosec practitioner and vendor communities.  This focus on codifying IOC’s is a nice step forward in making it easier to share threat data across organizations, and I think it represents a significant leverage point for advancing the state of the art in information security.

If you want a good overview from Mandiant, check out this presentation on “Using Indicators of Compormise,” from the US-CERT site.  Participating in data sharing around IOC’s is  also getting easier – check out OpenIOC, which is an open source framework for sharing threat information and other tools to help us share ways to detect threats more quickly and more proactively.

I look forward to a day when we see the average time to discover breaches decreases dramatically in Verizon’s Data Breach Investigations Report, and I think embracing and improving our ability to identify Indicators of Compromise will help us get there.  What do you think?

 

Image courtesy of ShutterStock

Categories IT Security and Data Protection, , , , , Risk-Based Security for Executives, , , IT Security and Data Protection,

Tags , , ,


Dwayne Melancon

Dwayne Melancon has contributed 139 posts to The State of Security.

View all posts by Dwayne Melancon >