Indicators of Compromise (IOC) as they are commonly known are the symptoms that confirm the presence of the malware malady. Essentially, from a network forensics' perspective, these are artifacts (or a remnant from an intrusion) that, when discovered on a system or network, indicate a compromise with a high degree of confidence. There are malware-specific IOC and specialized tools such as YARA (http://plusvic.github.io/yara/) that help in identifying the existence of malware based on searches for these IOC.
Typically, IOC include known rogue IP addresses, virus signatures, MD5 hashes of malware, known bad URLs or domain names, and so on.
To promote standardization, a number of open frameworks are available. However, no framework can claim to be the de facto standard. The two most important frameworks are as follows:
- Open IOC: This stands for Open Indicators of Compromise. This framework is promoted by Mandiant and is available at http://www.openioc.org/. This is a simple XML framework built with the objective of documenting and characterizing intrusion artifacts located on a host or a network.
- CybOX™: This stands for Cyber Observable eXpression. CybOX is a US Department of Homeland Security (DHS) led effort. CybOX also uses XML schema to describe cyber observables. CybOX is available at https://cyboxproject.github.io/.
Indicators of compromise can include the following components:
- E-mails from a specific IP address
- Network traffic to a specific IP address
- Registry key creation
- File deletion
- Known HTTP Get request received
- File found to match with a known MD5 hash
- Data sent to an address on a socket
- A found mutex
- Application-specific logs show communications on specific ports
- A known file's MD5 hash value has changed
- Known bad URLs or domains are detected
- The configuration of a service has changed
- A remote thread has been created
IOC, once identified, can be used to provide very effective inputs for IDS and IPS and can also be used to configure firewall rules. Therefore, any incident response activity that is planned should definitely proceed beyond the remediation stage so that the IOCs can be identified and fed back into the prevention and detection infrastructure in order to avoid the organization suffering a repeat attack.