Can we get a copy of the slides?
Yes
When is the next MANDIANT webinar?
State of the Hack - We went to a fight, and a hockey game broke out will be live at the 22nd Annual FIRST conferene in Miami, FL on Wednesday, June 16, 2010 at 12:30 p.m. Eastern time.
Is the OpenIOC "open" as in a published API so that other open products/tools benefit?
Yes, the tool and the schema is completely product neutral. The tool will be licensed within a week and will allow it to be open source.
Can you use regex (regular expressions) when you’re writing your IOCs?
Yes, the OpenIOC format does support regular expressions.
What is the major difference between the IOC and antivirus that searches for specific files?
The main difference is that IOCe is made to describe any type of indicator. The indicator is tied to specific pieces of malware and is less likely to change. With anti-virus you cannot control your search. IOCe allows you to maintain your own search.
Have you seen rootkit techniques used by the APT to make definition of IOCs more difficult?
The APT have been known to, and do use rootkits in order to hide on a system. If you have an IOC for a particular filename, then the IOC wouldn’t fail, it would be the underlying technology that is looking for those things that would fail. More importantly, if the APT are making hooking calls, you’d be able to write an IOC to describe the fact that they are making those hooked calls. Then if you had a product that could go through and review what items are being hooked and by whom, then that IOC would find the file on disk, and find the malware hiding from you.
Does the IOC spec normalize data... for example, identifying where multiple malware instances may have the same characteristics and reducing redundancy of storage?
No, this was something that was avoided when designing the tool. The design of the IOC spec just describes the indicators. Potential problems could occur when you introduce things like a format being a normalization force. We wanted the tool to act like a Notepad approach, where you have the data and can edit it, but when it comes to managing the data, it will still be a business process that the user will need to manage.
What about malware that generate dynamic file names with random salt values?
There are a lot of different schemes you can use. If you don’t have a way to describe it, or if you couldn’t describe it to me in a paragraph form, then we couldn’t capture it. For example, for most malware, if you’re talking about a temporary filename, or using API to create a temporary file, you can generate hardcoded prefix using the letters .tmp as the file extension. With that you’ll have two parts of the filename that you know, the middle of the filename that you don’t know, and that the path is going to have the letters temp. You can then use the IOC format to describe an indicator that still captures that, even though you don’t know the filename. The combination of those three things will find the temporary generated files.
Do you plan any tools like YARA, which work on UNIX?
OpenIOC can be used to describe non-Windows indicators, too. If you store your YARA data in OpenIOC, then you can use other tools and make use of the data set as well.
Does the IOC editor have a way to search the indicator data?
Searching IOCs in the IOCEditor is a very required feature. We are working on the best way to do this. We see a lot of intelligence correlation happening in this feature past simple search. However, searching is an integral part of our MIR product.
Do you believe a "free and open" community can exist to share IOC rules?
We hope so -- we're trying to facilitate that kind of information sharing. Folks are welcome to join the OpenIOC forum at http://forums.mandiant.com/, of course. Also, our customers (MIR, Managed Services, etc.) can contribute the IOCs they find, and we'll republish them as able without attribution if they wish.
How much will this format be used with the M-INT threat feeds?
All of it. We use OpenIOC and its predecessors to describe the indicators of compromise in M-INT. For more on that threat intelligence source, drop a line to .(JavaScript must be enabled to view this email address), check out the Managed Services section of the website, and keep up with our webinar series.
Without using the MIR product, have you found a good way to collect the raw metadata evaluated against IOCs?
Our Memoryze freeware can collect a lot of the memory-forensic-based information, and you could certainly use other tools such as Sleuthkit, or sys admin tools, and then render that information into something that IOCe could match against.
Where can I find the free software you mentioned during the webinar?
You can find a listing of our free software here: http://www.mandiant.com/products/free_software
