Sharing Threat Intelligence With Technology – Making Use of OpenIOC
There are many “standards” being developed for describing or sharing threat intelligence. But what makes a standard? Many industries have standards bodies that tightly control how processes work or define specifications for the manufacture or creation of products and services. But throughout the history of the Internet, many standards that surround the Internet are de facto in nature. Innovators in technology have driven standards, especially with protocols. Networking and Internet Protocols, Web standards, the history of all of them is driven by innovation, invention and use of what works. Drafts of standards that are not yet ratified (but widely in use) often dictate the construction of products and workflows. Ultimately, official standards adopt the technology that achieves the most success in the marketplace after something has been proven to work.
Standards that are not market driven run the risk of being academic exercises created in isolation from the real technological and market challenges that are being solved daily in the business world, and therefore may have more and less content than what is really needed. They have not undergone the process of attrition and evolution that market success demands of leaders that define an industry.
Today we are launching a new website for OpenIOC, the standard for describing threat intelligence in a machine digestible form that we use at MANDIANT. MANDIANT has created OpenIOC and the workflow that OpenIOC is a part of during the course of seven years of responding to computer security breaches. That’s how we know that OpenIOC works in the real world.
The term Indicator of Compromise (or IOC) has been around for many years. It first appeared in Kevin Mandia’s book, Incident Response & Computer Forensics. Since then, MANDIANT has created the OpenIOC format as a means of standardizing communication about threat information and creating structured, effective IOCs. With today’s announcement we are making the OpenIOC standard and supporting information more accessible, and providing free tools to help others make use of this technology to help fight computer crime and improve the security of hosts and networks around the world.
To achieve this, we’ve done several things. First, the OpenIOC format has been released as Open Source under the Apache2 license. We maintain the base schema, but anyone can use OpenIOC in their efforts to define, communicate, or store threat intelligence. The schema is short and simple, but can be extended as needed. This lets you use the indicator terms you need without having to deal with the bloat of the ones you don’t want.
Second, we supply indicator terms with the OpenIOC schema. There is really nothing unusual about XML schemas in the IT world today – they are a standard way of communicating information in a machine readable format. But our indicator terms are what have brought us to the forefront of the incident response field. The over 500 types of things that we can look for on hosts and networks are what have made us the leading IR firm in the world today, and we are making that publicly available. The code is already written. You can just use our sets to define your IOCs as you build them. If you find something that is not in there, you have the freedom to add in your own terms. There’s no waiting for the next version or having to revise an entire schema just to add in a definition that you need that we don’t supply.
Third, most people who work in incident response are busy individuals. They’ve heard us speak at conferences, talked to us in person, over the phone or by email. They all say “Wow, that really sounds cool – but I don’t have the <insert some form of resources> to implement that right now.” Even though OpenIOC is in a standard format such as XML, most humans don’t easily take to creating XML documents from scratch. If you are a MANDIANT customer, we take care of this in our product, MANDIANT Intelligent Response. But what if you are not a customer?
To address this need, MANDIANT has released free tools to support the workflow of using OpenIOC and IOCs. In doing this, we hope that we are facilitating for you what we already have in our own IR workflow – the ability to codify human subject matter expertise in a machine-readable format for rapid communication without the delay that humans in the loop usually incurs.
We’ve already released The IOC Editor – it’s been out for a while and MANDIANT followers are familiar with it. It has reduced the chore of building XML from scratch. It understands the logical selectors available inside of OpenIOC, it has most of the indicator terms that MANDIANT supplies included, and allows for the inclusion of others. It allows for comparison of IOCs, can convert IOCs into XPATH queries, and a few other functions. It’s a really nifty tool, but it’s only a part of the workflow. We’ve showed the world how to build an IOC and made that easy, but you still need something to do with it.
Today we are releasing a new tool, IOC Finder. The name pretty much describes the tool, and it may seem simple, but we’re pretty excited about it. With IOC Finder, we’re providing the other end of the workflow. Some of the immense intelligence of what powers our process is now being given to you free of charge. Running IOC Finder on a Windows host, you can take any IOC that you have created and get responses on a large number of the terms that MANDIANT normally looks for.
A command line utility, IOC Finder can be used by first responders to check a host at a time to find evil. It can also be used to create a test host/lab for testing IOCs in whatever supported Windows environment you install it on. Thus, it can be a learning tool, a component in a workflow, or a tool for live response, all in one. And, in long-standing MANDIANT tradition, this free tool is not a throwaway. It’s based on technology that we have been using ourselves that we feel will be useful to others who solve the same problems we do, and our staff will be using it in their tool kits during real engagements for live response.
Even with this, we realize that we have a lot more work ahead of us to show the public what we already know – that OpenIOC fills a critical need for incident responders and is, in fact, critical to automating threat intelligence sharing and empowering responders. In the coming months, we will be releasing more tools and capabilities, and publishing more information to remove the barriers between initial awareness and actual implementation. We’ll have case studies from our customers and other entities that have successfully used OpenIOC as a part of their threat information sharing process, both involving and independent of the MANDIANT product lines. We’ll have better defined technical specifications for people who want to build their own tools but need more guidance than is provided in the schemas that are currently available. And we’ll continue to pass along our advances in solving really hard problems in critically important parts of the information security landscape.
To facilitate this, I’d like to announce the creation of a new website: www.openioc.org. This website is sponsored by MANDIANT, but it is not meant to be a MANDIANT website. It will be a one-stop shop to share information about OpenIOC, and we expect it to grow over time, adding tools for collaboration and interaction. Whether you just want a condensed view of what we are doing with OpenIOC and IOCs, or if you are trying to get traction in your organization and want a place to send curious parties, OpenIOC.org will hopefully give you a quick way of bringing people up to speed and centralizing resources on the topic.
What you see now is just the beginning. As we get more solutions to the problems outlined above and more of the answers you need, we will be posting them at OpenIOC.org, and will encourage others to do the same. As an open standard, other people can create tools for OpenIOC (and in fact some already have), and we hope that they will join us in sharing them with the public.
With the publication of an open standard, indicator definition sets that have powered an industry leading capability, and tools for creating and consumption of indicators so that an actual workflow can be achieved, we’re off to a good start on solving some of the biggest challenges facing the threat detection & incident response industry. We look forward to your feedback so we can make OpenIOC relevant to your organization’s threat information communication needs. We’re in this together, and the solution is bigger than any one entity can provide.