Subscribe Now

* You will receive the latest news and updates on the Canadian IT marketplace.

Trending News

Blog Post

Detect to mitigate

Detect to mitigate 

Dorais-Joncas is one of nine Montreal-based researchers with ESET; the company also has ten employees in Toronto. Advanced attackers, he explained, take their time to learn about defensive measures. For example, they may identify which anti-malware products a target uses and purchase the software to ensure that their attacks are not immediately detected.

ESET, like several other firms, publishes Indicators of Compromise (IOC) in their research to help others determine if they have been infected. IOCs can include specific IP addresses that malware is known to communicate with, domain names contacted, patterns in network traffic, static parts of files, and file system artefacts.

This information can be very helpful, but in practice organizations require infrastructure to search the environment for IOCs. Firewall logs are required to look for communication with known command and control servers. DNS logs are necessary to track domain names contacted. Detecting attack signatures in network traffic requires an intrusion detection system capable of monitoring all communications. File system artects are also difficult to search for unless software is in place to rapidly scan systems throughout the enterprise.

Another challenge, according to Dorais-Joncas, is that IOCs are time sensitive and quickly become outdated. Some malware rotates IP addresses every 12 hours or more frequently. Malware often rapidly changes after IOCs are published, suggesting that malware authors monitor research and change their code promptly to avoid detection. As a result, IOCs are generally valid for days, not weeks.

There are many sources of IOCs, and a lot of public information exists, but it is not aggregated into a form that makes it immediately available. For example, ESET (and many others) publish research as .pdf files. Monitoring all relevant research is labour intensive. Ideally, researchers would agree to publish IOCs in a standard format. Dorais-Joncas said that would be great for those seeking to defend their organizations, and that he would welcome a vendor neutral system. But, as he pointed out, it would take considerable effort to get all the companies to cooperate. The other alternative would be an army of volunteers who monitor research and promptly make IOCs available.

A quick search of the web suggest that there is interest.. For example, security consulting firm MANDIANT launched an open source initiative: “OpenIOC is designed to fill a void that currently exists for organizations that want to share threat information both internally and externally in a machine-digestible format. OpenIOC is an extensible XML schema that enables you to describe the technical characteristics that identify a known threat, an attacker’s methodology, or other evidence of compromise.”

The OpenIOC project provides the schema, tools, and “a base set of indicators provided by MANDIANT. These indicators describe over 500 facets of environments that can be used to track down advanced attackers.”

Facebook is also wading into the threat intelligence landscape. According to their site, “Most threat intelligence solutions suffer because the data is too hard to standardize and verify. Facebook created the ThreatExchange platform so that participating organizations can share threat data using a convenient, structured, and easy-to-use API that provides privacy controls to enable sharing with only desired groups.” ThreatExchange is currently in beta and it is not clear how much traction the project will attain.

Organizations of all sizes should obviously continue to deploy effective anti-malware solutions. However, as Dorais-Joncas points out, it is also important to detect when a compromise has occurred and act promptly to protect the organization.

Have a security question you’d like answered in a future column? Email

Related posts