For a long time now, I’ve been talking about how to detect incidents early by identifying “attack precursors” and other leading indicators of breaches and security compromises. As a matter of fact, Tripwire’s “Cybercrime Controls” were designed to do just that and are being continuously improved.
For example, our Cybercrime Controls continuously monitor and detect things like:
- - people trying to cover their tracks or obscure their presence on your systems;
- - signs of ARP cache poisoning, ARP spoofing, and other man-in-the-middle attacks;
- - suspicious changes in listening ports, system services and drivers, startup tasks, and scheduled tasks;
- - anomalous permissions changes;
- - changes in local firewall configurations and local user accounts;
- - changes in DNS servers or IP routing;
- - symptoms or presence of root kits;
- - and many others…
I hereby Dub Thee “Indicators of Compromise”
I’m pleased to see that those precursors are now getting the attention they deserve and thanks to security firm Mandiant, they now have a common name: ”Indicators of Compromise.”
Indicators of Compromise, or IOC’s, are being actively discussed and pursued in the broader infosec practitioner and vendor communities. This focus on codifying IOC’s is a nice step forward in making it easier to share threat data across organizations, and I think it represents a significant leverage point for advancing the state of the art in information security.
If you want a good overview from Mandiant, check out this presentation on “Using Indicators of Compormise,” from the US-CERT site. Participating in data sharing around IOC’s is also getting easier – check out OpenIOC, which is an open source framework for sharing threat information and other tools to help us share ways to detect threats more quickly and more proactively.
I look forward to a day when we see the average time to discover breaches decreases dramatically in Verizon’s Data Breach Investigations Report, and I think embracing and improving our ability to identify Indicators of Compromise will help us get there. What do you think?
Image courtesy of ShutterStock
Categories: IT Security and Data Protection, Cyber Security, Government, Incident Detection, IT Security and Data Protection, Risk-Based Security for Executives, Risk Management, Risk-Based Security for Executives, IT Security and Data Protection, Security Controls