What is an IOC?
Indicators of Compromise, shortened to IOCs, are relatively varied, but generally constitute the URLs, domain names, and IP hashes (MD5, SHA256, SSDEEP) that are associated with a particular malware sample.
When we analyse malware, we ‘extract’ the IOCs. In doing so, we want to establish what domains or IPs the malware talks to; what the hash of the original file is; and if there are any other files that it drops. This information can then be used to assist in preventing future attacks and to find machines that have already been compromised by the threat.
How useful are IOCs?
IOCs are still extremely useful in 2020. In fact, many antivirus products still rely heavily on a database of IOCs, especially file hashes, to detect malware. This hasn’t changed since the appearance on the market of the first antivirus products that, quite literally, checked files against a list of known virus hashes. These days, however, many products also look at the file’s behaviour and then make a decision based on what the antivirus product ‘thinks’ the sample was trying to do.
Malware researchers collect IOCs in large databases which helps in connecting samples together and recognising them as part of a campaign. This, in turn, can aid the discovery of new malware, samples as well as spotting patterns for trends or attribution.
Companies can maintain their own databases of IOCs and add context to them with open source tools like MISP (https://www.misp-project.org/) giving a central point for SOC analysts to search, contextualise and share discovered IOCs. While this is certainly a helpful resource, the structured nature of these tools has led to the development, in some companies, of a culture of “IOC Pokémon” where the focus becomes collecting them all without the necessary context to make them useful. This is what we will discuss next.
When are IOCs not useful?
As noted above, there are times when IOCs are not useful or are not being used in the right way. This includes IOCs without context, false-positive IOCs, and even older IOCs that are no longer an indicator of compromise but are still circulating on the Internet.
This is a phenomenon when a company becomes obsessed with “catching them all” – the catchphrase from the eponymous series. The focus in IOC Pokémon is moved from a technique of collating and contextualising this information, to simply collecting as many as IOCs, as fast as possible, without any context being sought. This leads to a large database of IOCs with nothing to ground them in the cyber threat context which, over time, will increase the number of false positives and cause operational issues.
The modern internet is a shared space: a single IP, whilst unique, does not equate to it being used by just one person or entity. IPs and even domains are often shared by multiple organisations. A prime example of this is a Content Delivery Network (CDN). These networks operate by mirroring content to multiple ‘edge’ servers around the world so the end-user can access content more quickly. The IPs in these networks are, therefore, shared by all CDN customers. If a malware sample calls out to a CDN IP address, that IP can be considered an indicator, but is it malicious? The answer, somewhat frustratingly from a threat intelligence point of view, is that it is both malicious and benign at the same time – it is Schroedinger’s IOC. That is until we add context. Whilst it will not be possible to say that all calls to this IP address are malicious, we can say that under certain conditions (such as being called from a certain script or file) it definitely is.
Hashbusting is a method used by malware developers to avoid hash-based detection. A hash is a unique identifier based on the content of a file: any file can be hashed and in theory, no two hashes of different files will ever be the same. There are exceptions, of course. Some algorithms such as SHA1 have been found to be flawed, and collisions can be generated with enough resources.
Any change to a file’s content will change its hash completely, so some malware developers will change the smallest, most inconsequential parts of their malware to ensure that it always has a different hash – thus rendering hash-based detection useless. Recently, this technique has been leveraged by the Emotet developers. As a result, there are upwards of 10,000 new Emotet hashes being published by researchers every day (see: https://paste.cryptolaemus.com/).
As these hashes are rarely ever seen again, they can still be used to retrospectively find payloads on our systems: by this time, however, this is normally a genuine indicator of compromise and will only show us that the system is already infected.
Living off the Land Binaries, also known as LOLBins, are programs that are already installed on the victim system. Microsoft Windows comes with a huge array of small programs that are often not seen by a normal user but that the operating system needs to be able to perform certain tasks.
These LOLBins can also be leveraged by malware developers, however, to perform certain tasks that they need to facilitate a successful system compromise. Take rundll32.exe, for example: a tiny program that is installed on every Windows system. The OS needs this program to work so it cannot be removed. rundll32.exe is essentially used to load DLL binaries. Because a DLL cannot execute itself, this little helper program handles it. What we see quite often is a piece of malware downloading a malicious DLL file and then executing it with rundll32.exe. In this case, rundll32.exe is now the execution parent of the malicious DLL and, therefore, an IOC. But rundll32.exe is not malicious.
We have seen instances in which LOLBins are added to lists of IOCs that companies wrongly assume can be loaded directly into ‘blocklists’. The presence of a LOLBin like rundll32.exe on one of these lists, for example, then triggers on every machine in the network and causes major problems, in some cases even taking the entire network offline.
So, are IOCs useful? Certainly. But as we have shown in this article, it takes a lot more than simply collecting them. For IOCs to be used profitably on a threat intelligence level, however, systems need to be in place to manage the IOC database, enrich them with context, and to make them available and easily searched by your SOC.
Do you need to collect them all? Not at all. It is crucial that you focus on what matters to your systems first, get that right, and only then look at becoming the best Pokémon trainer IOC collector you can be!