M-unition -

Combat the APT by Sharing Indicators of Compromise

By on January 26, 2010

At MANDIANT, we value human intelligence – ground-truth, intelligent decision-making and adapting to your enemy’s tactics. Since expert humans can’t be everywhere, we’ve built a means to exchange enough ground-truth and decision-making so security experts can spend more energy applying expertise, less time parsing and pruning stale datasets and leverage their expertise across organizations and between compromises.

Historically, compromise data has been exchanged in CSV or PDFs laden with tables of “known bad” malware information – name, size, MD5 hash values and paragraphs of imprecise descriptions supplemented by ad-hoc exchanges between targets.

MANDIANT, inspired by field pressures, operation after operation, imagined a way to exchange not only indicators of specific compromises but structures which formalize the human-intelligence of decision-making, rules, exceptions, and ongoing adaptability. Our Indicators of Compromise (IOCs) were shaped operationally detecting real-world threats. We help our clients detect the APT right now, and they’re exchanging information about it using IOCs.

Conventional compromise datasets consist of table after table of immediately-stale data capturing few, if any, relationships. An Indicator of Compromise (IOC), however, is a Boolean decision tree that discriminates an indicator from a false-positive, theory from ground truth. What’s more, when you discover an exception or extension to a well-known-IOC you can describe it concisely and proactively, authenticate its source and re-evaluate your existing data to detect new instances of old compromises. This way, as a threat group adapts to your detections, you retain an IOC’s identity and maintain the value of intelligence shared with other targets over time.

Importantly, IOC is industry-standard XML so you already have tools and a community of experts who can comprehend, transform, and leverage new data immediately. Unlike many XML standards however, it’s simple – developed operationally with an eye toward staying adaptable, transformable, and scalable. IOC describes relationships which indicate compromise – this makes the format resilient to new data formats, data sources and decision engines.

At DoD CyberCrime 2010 MANDIANT will formally release this format and tools to leverage it in your investigations today. We’ll have full coverage of the release on M-unition – stay tuned.

Tags: , , , ,
Category: The Suite Spot

Comments

    1. By Bob on July 6 at 12:34 pm

      Did you guys ever publish the IOC XML schema anywhere?

    2. By mfrazier (Author) on July 6 at 6:07 pm

      The schemas for OpenIOC are published as part of the free OpenIOC-compatible editor, IOCe. You can download it from this link:
      http://www.mandiant.com/products/free_software/ioce/

      You’ll find the XML Schema Definition (.xsd) files defining the schemas in the Schemas folder within the zip archive.

      If you have any questions or want to follow OpenIOC discussions on our forums, check out https://forums.mandiant.com/forum/open-ioc

    3. By Sean on January 3 at 7:38 am

      It doesn’t look like the .xsd file is included in the newest release. Can it be made available? Thanks.

    4. By jonbv on August 17 at 9:50 pm

      How is OpenIOC different from MITRE’s Malware Attribution Enumeration and Charaterization project? (http://maec.mitre.org/)

    5. By Doug Wilson on February 6 at 7:03 pm

      It looks like some blog comments from a long time ago got stuck in the moderation queue.

      To address these questions:

      Where is the .xsd?

      The base IOC schema is here: http://schemas.mandiant.com/2010/ioc/ioc.xsd and the audit schemas are described at http://schemas.mandiant.com

      However, of more interest to those writing IOCs are the lists of Indicator Terms, which describe the specific things which we look for and use to populate the schema to build IOCs. Those and other resources for writing IOCS in (what is now) OpenIOC can be found at http://OpenIOC.org.

      How is this different than MAEC?

      The Malware Attribution Enumeration and Characterization (or MAEC) project from MITRE is focused on all facets of malware, including specific artifacts up to categorizing types of malware by functionality, family, etc. MAEC is used specifically to describe artifacts involving, surrounding, and originating from malware.

      OpenIOC can be used to describe malware, as artifacts of malware are almost definitely Indicators of Compromise. But compromises and intrusions cover a lot more ground than just malware — if you were to look at only indications of malware in an enterprise, you would miss most of the footprint of even a semi-skilled attacker. IOCs allow you to describe a wide variety of indicators, including attacker activities, movement, and methodology, as well as specific forensic artifacts of malicous executables and exploits.

      OpenIOC is more alike to the newer MITRE offering, CybOX (for Cyber Observables) — CybOX is an incredibly broad effort to be able to define all observables within an enterprise — the CybOX team has chosen to include OpenIOC as a specific set of observables within their framework. While all of these tools have their uses, we still feel that in the specific arena of Incident Response or sharing Threat Intelligence artifacts, OpenIOC is the best choice for those subject areas.

      More information about OpenIOC is available at http://openioc.org
      The MAEC project homepage is at: http://maec.mitre.org/
      The CybOX project homepage is at: http://cybox.mitre.org/

    Leave a Comment

Get M-Unition in Your Inbox:

Follow @mandiant

Follow @mandiant on twitter.

Career Opps @ Mandiant

We’re growing fast, but we’re as demanding as ever. Our clients come to us in their hours of need, so we need the best. That means more than just the right education and the right experience in information security.

As Mandiant continues to grow, we are able to offer certain positions in multiple locations. For details on the location(s) of each opening, please refer to the position descriptions.

Click here to view available positions.