For a long time now, I’ve been talking about how to detect incidents early by identifying “attack precursors” and other leading indicators of breaches and security compromises. As a matter of fact, Tripwire’s “Cybercrime Controls” were designed to do just that and are being continuously improved.
For example, our Cybercrime Controls continuously monitor and detect things like:
- – people trying to cover their tracks or obscure their presence on your systems;
- – signs of ARP cache poisoning, ARP spoofing, and other man-in-the-middle attacks;
- – suspicious changes in listening ports, system services and drivers, startup tasks, and scheduled tasks;
- – anomalous permissions changes;
- – changes in local firewall configurations and local user accounts;
- – changes in DNS servers or IP routing;
- – symptoms or presence of root kits;
- – and many others…
I hereby Dub Thee “Indicators of Compromise”
I’m pleased to see that those precursors are now getting the attention they deserve and thanks to security firm Mandiant, they now have a common name: “Indicators of Compromise.”
Indicators of Compromise, or IOC’s, are being actively discussed and pursued in the broader infosec practitioner and vendor communities. This focus on codifying IOC’s is a nice step forward in making it easier to share threat data across organizations, and I think it represents a significant leverage point for advancing the state of the art in information security.
If you want a good overview from Mandiant, check out this presentation on “Using Indicators of Compormise,” from the US-CERT site. Participating in data sharing around IOC’s is also getting easier – check out OpenIOC, which is an open source framework for sharing threat information and other tools to help us share ways to detect threats more quickly and more proactively.
I look forward to a day when we see the average time to discover breaches decreases dramatically in Verizon’s Data Breach Investigations Report, and I think embracing and improving our ability to identify Indicators of Compromise will help us get there. What do you think?
Image courtesy of ShutterStock