WEBVTT 0:00:03.880000 --> 0:00:10.800000 Indicators of compromise are you sees as they are referred to in terms 0:00:10.800000 --> 0:00:13.320000 of the abbreviated form. 0:00:13.320000 --> 0:00:18.020000 So in this video we're going to be getting an introduction to indicators 0:00:18.020000 --> 0:00:24.480000 of compromise or in a singular sense an indicator of compromise. 0:00:24.480000 --> 0:00:28.280000 So we're going to get an understanding of what indicators of compromise 0:00:28.280000 --> 0:00:37.180000 are and what they use to how they used, how they identified. 0:00:37.180000 --> 0:00:42.680000 And then in the next video we'll be taking a look at analyzing IOCs as 0:00:42.680000 --> 0:00:48.240000 well as enriching them and the value to you if it isn't already obvious 0:00:48.240000 --> 0:00:56.380000 as an incident responder will become apparent or obvious as we go through 0:00:56.380000 --> 0:00:58.340000 this video as well as the other one. 0:00:58.340000 --> 0:01:02.680000 But with that being said let's get started and the best place to start 0:01:02.680000 --> 0:01:07.900000 is to again start at the beginning what is an indicator of compromise 0:01:07.900000 --> 0:01:15.420000 or in a plural sense what are indicators of compromise. 0:01:15.420000 --> 0:01:20.440000 An indicator of compromise which is usually abbreviated as an IOC. 0:01:20.440000 --> 0:01:28.360000 So all uppercase or even IOC with a lower case O is a piece of forensic 0:01:28.360000 --> 0:01:35.160000 data that suggests or indicates as the name would suggest that an endpoint 0:01:35.160000 --> 0:01:38.440000 or network may have been breached. 0:01:38.440000 --> 0:01:43.700000 Generally speaking IOCs are indicative of potentially malicious activity 0:01:43.700000 --> 0:01:46.020000 on a system or network. 0:01:46.020000 --> 0:01:52.580000 So IOCs essentially serve as clues that security professionals use to 0:01:52.580000 --> 0:01:58.900000 detect, investigate and respond to malicious activity or cyber threats. 0:01:58.900000 --> 0:02:03.140000 For example data breaches, ransomware attacks or even insider threats 0:02:03.140000 --> 0:02:10.420000 and IOCs really help you answer questions like has a particular system 0:02:10.420000 --> 0:02:14.060000 been compromised hence the name indicator of compromise. 0:02:14.060000 --> 0:02:18.940000 The other type of question would be what type of attack to place or what 0:02:18.940000 --> 0:02:24.600000 type of attack is this and another question would be what other systems 0:02:24.600000 --> 0:02:25.960000 might be effective. 0:02:25.960000 --> 0:02:32.920000 So in essence these questions serve as criteria for correctly classifying 0:02:32.920000 --> 0:02:39.860000 an event correctly classifying an event as an indicator of compromise. 0:02:39.860000 --> 0:02:43.980000 So if they can answer questions like these then they are indicators of 0:02:43.980000 --> 0:02:49.560000 compromise. So that's really simply put that's what an indicator of compromise 0:02:49.560000 --> 0:02:53.200000 is. Now there's a lot more to indicators of compromises you've probably 0:02:53.200000 --> 0:02:59.040000 guessed or you've probably intuited and we'll get to that. 0:02:59.040000 --> 0:03:07.700000 So the reason why I'm trying to ensure that we start off simple is because 0:03:07.700000 --> 0:03:18.360000 IOCs are a quite wide in terms of their breadth and how many the various 0:03:18.360000 --> 0:03:22.220000 types of activity that they relate to that you need to sort of start off 0:03:22.220000 --> 0:03:30.260000 or the best the best place that I found to start with is to use it or 0:03:30.260000 --> 0:03:35.740000 to define indicators of compromise based on what they are supposed to 0:03:35.740000 --> 0:03:39.580000 tell us or what they're telling us and again you can sort of invert that 0:03:39.580000 --> 0:03:49.100000 and use questions to determine whether a particular log or event is an 0:03:49.100000 --> 0:03:53.540000 indicator of compromise or whether it indicates compromise then the questions 0:03:53.540000 --> 0:03:55.780000 I've listed here are a good place to start. 0:03:55.780000 --> 0:03:57.820000 So I just wanted to start here. 0:03:57.820000 --> 0:04:01.080000 Now let's take it to the next level. 0:04:01.080000 --> 0:04:06.680000 So when we talk about detecting indicators of compromise it's very important 0:04:06.680000 --> 0:04:10.400000 for you to understand that this is reactive right? 0:04:10.400000 --> 0:04:11.580000 What do I mean by that? 0:04:11.580000 --> 0:04:17.100000 Well by the time an indicator is discovered it's often a sign that a compromise 0:04:17.100000 --> 0:04:20.860000 has already occurred and you've probably intuited that as well because 0:04:20.860000 --> 0:04:25.380000 again as the name suggests it is an indicator of compromise. 0:04:25.380000 --> 0:04:30.840000 Now you may also be asking yourself well Alexis I don't really agree with 0:04:30.840000 --> 0:04:36.160000 you there because an indicator of compromise is not necessarily indicate 0:04:36.160000 --> 0:04:42.640000 that compromise is quite advanced in terms of the attack life cycle or 0:04:42.640000 --> 0:04:47.860000 kill chain. It may be an indicator of initial access and you're right 0:04:47.860000 --> 0:04:52.860000 that's absolutely correct and that's why I wanted to start off very slow 0:04:52.860000 --> 0:04:55.940000 and then ramp up in terms of your understanding of IOC. 0:04:55.940000 --> 0:05:01.940000 So as my next point suggests here if detection happens while the threat 0:05:01.940000 --> 0:05:07.760000 is still unfolding or has just begun unfolding timely recognition of an 0:05:07.760000 --> 0:05:13.660000 IOC can significantly mitigate damage by obviously enabling faster containment 0:05:13.660000 --> 0:05:17.640000 and disruption of the attackers operations. 0:05:17.640000 --> 0:05:22.820000 Now to sort of counter that point with the advancement of threat actors 0:05:22.820000 --> 0:05:29.120000 the ability to and the keyword is reliably the ability to reliably detect 0:05:29.120000 --> 0:05:35.220000 IOCs has obviously become increasingly challenging. 0:05:35.220000 --> 0:05:41.120000 So when we talk about IOCs and the common indicators like let's say MD5 0:05:41.120000 --> 0:05:47.720000 file hashes, command and control domains, static IP addresses or IP blocks, 0:05:47.720000 --> 0:05:52.440000 registry modifications and known file names these are going to be you 0:05:52.440000 --> 0:05:56.780000 know frequently rotated or obfuscated therefore diminishing their lifespan 0:05:56.780000 --> 0:06:00.920000 or their value as an indicator of compromise and complicating detection 0:06:00.920000 --> 0:06:06.260000 efforts. So you may still have a fuzzy understanding of what an IOC is 0:06:06.260000 --> 0:06:10.740000 you know based on what I've covered in the two slides but again there's 0:06:10.740000 --> 0:06:12.100000 a good reason for this. 0:06:12.100000 --> 0:06:19.320000 So I'll use the most basic of example and we'll talk about you know IOC 0:06:19.320000 --> 0:06:23.720000 sharing or threat intelligence sharing in the form of IOCs. 0:06:23.720000 --> 0:06:30.300000 When a new malware strain is discovered and analyzed a lot of the companies 0:06:30.300000 --> 0:06:36.920000 firms or organizations that you know perform you know malware analysis 0:06:36.920000 --> 0:06:43.380000 or threat intelligence in general will provide an IOC or will share it 0:06:43.380000 --> 0:06:48.040000 via threat intelligence sharing platforms with you know the the public 0:06:48.040000 --> 0:06:53.860000 if they want to do so or they could it could be part of their their closed 0:06:53.860000 --> 0:06:57.140000 source threat intelligence that they sell to companies. 0:06:57.140000 --> 0:07:02.180000 The bottom line is that when they share this intelligence or the results 0:07:02.180000 --> 0:07:06.280000 of their analysis with regards to let's say a strain of malware what they 0:07:06.280000 --> 0:07:12.420000 usually share as part of that is something like the like a malware hash 0:07:12.420000 --> 0:07:19.040000 or signature and that is a to put it simply an indicator of compromise 0:07:19.040000 --> 0:07:25.740000 in that you can take that hash and use it in your detection or to create 0:07:25.740000 --> 0:07:29.960000 a detection rule as it were with something like Yara for example which 0:07:29.960000 --> 0:07:34.820000 I know we haven't gotten into but you can essentially take that indicator 0:07:34.820000 --> 0:07:39.660000 of compromise specific to that strain of malware and you can incorporate 0:07:39.660000 --> 0:07:44.320000 it into your detection form of detection engineering you know writing 0:07:44.320000 --> 0:07:50.300000 a rule etc. So that now your organization can actually detect that particular 0:07:50.300000 --> 0:07:57.540000 indicator of compromise or that activity you know that that IOC represents 0:07:57.540000 --> 0:08:01.480000 in this case in the case of the example I gave you a strain of malware 0:08:01.480000 --> 0:08:07.860000 so hopefully it's become clearer now you may be asking of well you've 0:08:07.860000 --> 0:08:12.440000 given us one example of an IOC could you be a bit more specific or could 0:08:12.440000 --> 0:08:17.580000 you give us more and yes I will but before we do that we need to understand 0:08:17.580000 --> 0:08:22.080000 the categorizations or the types of indicators of compromise now before 0:08:22.080000 --> 0:08:27.260000 we do that I want to sort of summarize my explanation of what indicators 0:08:27.260000 --> 0:08:32.360000 of compromise are in this slide so one of the examples or analogies that 0:08:32.360000 --> 0:08:36.740000 I like using whenever I'm teaching this you know specifically IOCs or 0:08:36.740000 --> 0:08:41.740000 introducing IOCs is to use the analogy of breadcrumbs right and Hansel 0:08:41.740000 --> 0:08:45.540000 and Gretel and all of that stuff but I've sort of changed it a little 0:08:45.540000 --> 0:08:49.880000 bit so just let's take the example here so just like breadcrumbs in a 0:08:49.880000 --> 0:08:55.020000 forest can lead you back to where someone has been or where you came from 0:08:55.020000 --> 0:09:01.020000 IOCs are the digital traces that attackers leave behind during or after 0:09:01.020000 --> 0:09:06.940000 a compromise or a breach so this is very important and the IOCs can be 0:09:06.940000 --> 0:09:13.160000 used in different ways from the point of preventative or let's say from 0:09:13.160000 --> 0:09:18.680000 the perspective of detection you can take up you know publicly accessible 0:09:18.680000 --> 0:09:24.900000 or shared IOCs and incorporate them into your detection capabilities to 0:09:24.900000 --> 0:09:29.140000 detect known indicators of compromise let's say tied to a particular threat 0:09:29.140000 --> 0:09:33.720000 actor or APT group right that's one aspect then there's also another aspect 0:09:33.720000 --> 0:09:39.140000 which we'll get to shortly building on the analogy these breadcrumbs and 0:09:39.140000 --> 0:09:43.380000 this is where I tell you what you know give you some examples of IOCs 0:09:43.380000 --> 0:09:49.880000 so these breadcrumbs think of IP addresses file hashes URLs registry changes 0:09:49.880000 --> 0:09:57.640000 don't always tell the full story but when followed they can lead defenders 0:09:57.640000 --> 0:10:03.320000 to the source impact and scope of a breach and this is very very important 0:10:03.320000 --> 0:10:09.640000 for you to understand so just as I mentioned in the first clause of the 0:10:09.640000 --> 0:10:14.360000 second paragraph here I said you know these breadcrumbs and I went on 0:10:14.360000 --> 0:10:19.620000 to provide you the examples of what breadcrumbs could be or are in this 0:10:19.620000 --> 0:10:25.500000 case IP addresses file hashes URLs registry changes etc you when I said 0:10:25.500000 --> 0:10:28.520000 that you may have been thinking well that really doesn't tell us anything 0:10:28.520000 --> 0:10:32.880000 what would an IP address tell us is that really an indicator of compromise 0:10:32.880000 --> 0:10:38.480000 well if you look at it from that perspective then no but and this is sort 0:10:38.480000 --> 0:10:44.900000 of the key point when followed or to use the term that's going to be that's 0:10:44.900000 --> 0:10:51.500000 going to form the title of the next video when you analyze IOCs and will 0:10:51.500000 --> 0:10:54.620000 not get into an into enrichment but that's part of the process but when 0:10:54.620000 --> 0:10:59.480000 you analyze IOCs and you ask yourself the question or you essentially 0:10:59.480000 --> 0:11:04.800000 follow the IOC down the road and see where it leads you it can tell you 0:11:04.800000 --> 0:11:10.440000 a lot more about where the attack came from so the source what the impact 0:11:10.440000 --> 0:11:15.560000 is and the you know the scope of the breach so an IP address in and of 0:11:15.560000 --> 0:11:20.520000 itself just looking at it within a seam doesn't tell you much right but 0:11:20.520000 --> 0:11:23.860000 that is an indicator of compromise if it's associated with you know malicious 0:11:23.860000 --> 0:11:30.200000 activity right and what you are going to need to do is you're going to 0:11:30.200000 --> 0:11:36.620000 need to ask yourself a couple of questions with regards to you know using 0:11:36.620000 --> 0:11:41.180000 or effectively leveraging IOCs you're going to have to ask yourself a 0:11:41.180000 --> 0:11:45.740000 question like well is this IP address known to be malicious or involved 0:11:45.740000 --> 0:11:50.860000 in other breaches and then the next question you may be asking yourself 0:11:50.860000 --> 0:12:00.720000 is how can we do that exactly and again for those of you but for those 0:12:00.720000 --> 0:12:06.140000 of you who are getting into you know the blue team and you know in general 0:12:06.140000 --> 0:12:10.240000 but instant response specifically this is very very important it's sort 0:12:10.240000 --> 0:12:15.320000 of a you need to have your methodology right or your mindset right before 0:12:15.320000 --> 0:12:21.940000 any of these will sort of reveal their value to you from the from the 0:12:21.940000 --> 0:12:26.900000 perspective of detection right but with that being said let's proceed 0:12:26.900000 --> 0:12:34.520000 and let me sort of massage my explanation of IOCs by providing you with 0:12:34.520000 --> 0:12:39.700000 their you know the context or or rather the relevancy of IOCs within cybersecurity 0:12:39.700000 --> 0:12:45.460000 in general right so as I've mentioned IOCs are sort of the digital footprints 0:12:45.460000 --> 0:12:50.540000 of threat actors or you know attackers or criminals and their role in 0:12:50.540000 --> 0:12:55.600000 cybersecurity can be grouped into the following so A or number one in 0:12:55.600000 --> 0:13:03.480000 detection IOCs enable automated tools like seams EDRs firewalls etc to 0:13:03.480000 --> 0:13:08.620000 flag or block known threats the keyword there or the two keywords there 0:13:08.620000 --> 0:13:13.260000 are known threats okay an example here would be if an endpoint connects 0:13:13.260000 --> 0:13:19.300000 to a known malicious IP and that IP which is an indicator of compromise 0:13:19.300000 --> 0:13:25.780000 and that has been that determination has been arrived at because again 0:13:25.780000 --> 0:13:30.900000 it was classified as an IOC or an indicator of compromise because that 0:13:30.900000 --> 0:13:36.020000 IP wall is publicly known to have been involved in other preachers then 0:13:36.020000 --> 0:13:40.620000 the seam automatically generates an alert so that's the relevancy there 0:13:40.620000 --> 0:13:45.560000 with regards to detection then in the context of investigation and triage 0:13:45.560000 --> 0:13:51.180000 which is the section of the course we're in analysts use IOCs to triage 0:13:51.180000 --> 0:13:55.860000 alerts determining if they are true positives and you'll see exactly how 0:13:55.860000 --> 0:14:01.420000 this is done shortly and an example here would be a file hash found in 0:14:01.420000 --> 0:14:07.060000 an alert is verified on a platform like virus total and found to be a 0:14:07.060000 --> 0:14:13.200000 known rat remote access Trojan just a rat is a you know piece of malware 0:14:13.200000 --> 0:14:17.680000 that's used to remotely control computers or that attackers used to remotely 0:14:17.680000 --> 0:14:22.880000 control computers that they've compromised right so you can start to understand 0:14:22.880000 --> 0:14:27.600000 you know why IOCs are very important and then you have threat hunting 0:14:27.600000 --> 0:14:33.880000 and intelligence so advanced teams utilize IOCs to search for hidden threats 0:14:33.880000 --> 0:14:39.780000 and pivot to discover related activity so let's say a new strain of malware 0:14:39.780000 --> 0:14:46.480000 is you know is analyzed and there's an IOC well you can use that IOC to 0:14:46.480000 --> 0:14:52.740000 perform threat hunting to see whether within the organization that that 0:14:52.740000 --> 0:14:59.060000 IOC was whether any log or events actually matched you know that particular 0:14:59.060000 --> 0:15:04.480000 IOC because it's new and you know the fact that you hadn't built in that 0:15:04.480000 --> 0:15:09.100000 IOC into your detection rules you may have missed it and that's what threat 0:15:09.100000 --> 0:15:13.700000 hunting is all about in any case IOC enrichment can tie malicious activity 0:15:13.700000 --> 0:15:19.480000 to threat actors or campaigns and then finally incident response and remediation 0:15:19.480000 --> 0:15:24.460000 so during an incident IOCs are crucial to scoping the extent of the compromise 0:15:24.460000 --> 0:15:29.720000 and they also assist in blocking the threat via firewall rules AV signatures 0:15:29.720000 --> 0:15:35.420000 etc so indicators of compromise are very very important in cybersecurity 0:15:35.420000 --> 0:15:41.800000 and this right here you know the involvement in each of these phases not 0:15:41.800000 --> 0:15:46.820000 necessarily related and not made it specific to incident response sort 0:15:46.820000 --> 0:15:50.360000 of shows you why I wanted to start off slow and then slowly build up as 0:15:50.360000 --> 0:15:54.400000 you understanding better and I hope your understanding is improving as 0:15:54.400000 --> 0:15:59.400000 we're progressing in this video so that brings us now to the types of 0:15:59.400000 --> 0:16:05.220000 IOCs right and a lot of people when explaining IOCs what they are and 0:16:05.220000 --> 0:16:10.440000 providing examples like jumping directly into the common example so IP 0:16:10.440000 --> 0:16:15.580000 addresses etc but again that's not the correct way of understanding IOCs 0:16:15.580000 --> 0:16:19.440000 and that's not the way you're going to be interacting with them because 0:16:19.440000 --> 0:16:28.080000 IOCs given the you know the actual given what IOC represents indicator 0:16:28.080000 --> 0:16:34.140000 of compromise could represent you know an indicator of compromise on multiple 0:16:34.140000 --> 0:16:39.900000 levels at a network level file system level so on and so forth and as 0:16:39.900000 --> 0:16:43.020000 a result you need to start with that in mind so let's start off with the 0:16:43.020000 --> 0:16:48.980000 first type of IOCs by the way this is not sorted by importance it's just 0:16:48.980000 --> 0:16:52.780000 you know the natural starting point so we have network-based indicators 0:16:52.780000 --> 0:16:59.820000 of compromise so these indicators are as their name suggests are observed 0:16:59.820000 --> 0:17:05.520000 in network traffic and are often the first signs of suspicious or malicious 0:17:05.520000 --> 0:17:09.800000 activity and that makes sense right the first sign of anything malicious 0:17:09.800000 --> 0:17:13.740000 is going to be at the network level and some examples would be you know 0:17:13.740000 --> 0:17:18.220000 IP addresses linked to threat actors or command and control servers that's 0:17:18.220000 --> 0:17:23.440000 quite common domain names or URLs used in phishing malware delivery or 0:17:23.440000 --> 0:17:27.040000 call back infrastructure that's related to you know command and control 0:17:27.040000 --> 0:17:38.780000 infrastructure unusual port usage that's quite common so for again in 0:17:38.780000 --> 0:17:44.100000 this day and age when you see that that's a deadringer but of course you 0:17:44.100000 --> 0:17:49.820000 need to analyze and that's sort of the the key thing that I want to point 0:17:49.820000 --> 0:17:54.760000 out in any case another example would be C2 beakening patterns so you 0:17:54.760000 --> 0:17:59.020000 see you know regular low volume outbound traffic indicating C2 communication 0:17:59.020000 --> 0:18:05.320000 this is again another day when you see stuff like that especially regular 0:18:05.320000 --> 0:18:10.540000 consistent sort of consistent traffic of the same type coming from the 0:18:10.540000 --> 0:18:14.900000 same system or going to a particular server egress traffic you you probably 0:18:14.900000 --> 0:18:20.320000 want to analyze that a little bit closer the use cases here are you know 0:18:20.320000 --> 0:18:26.360000 easily detected by firewalls intrusion detection systems like PSS and 0:18:26.360000 --> 0:18:31.200000 proxy logs and you know IUCs in this case can be very useful for blocking 0:18:31.200000 --> 0:18:35.740000 outbound threats and identifying lateral movement and the limitations 0:18:35.740000 --> 0:18:43.160000 of network based IUCs in terms of you know detection for example are a 0:18:43.160000 --> 0:18:48.520000 evasive techniques like domain fluxing fast flux hosting or IP rotation 0:18:48.520000 --> 0:18:57.240000 reduce real reliability so in the context of IUCs like IP addresses and 0:18:57.240000 --> 0:19:01.520000 sort of correlating that to the increasing advancement of threat actors 0:19:01.520000 --> 0:19:06.560000 or APT groups as well as their the consequent improvement to their infrastructure 0:19:06.560000 --> 0:19:11.360000 that they set up they'll probably not be using the same IP addresses or 0:19:11.360000 --> 0:19:16.120000 IP blocks for for attacks right what you're starting to see now is there's 0:19:16.120000 --> 0:19:21.660000 you know either reuse of different addresses but that also started to 0:19:21.660000 --> 0:19:25.660000 change because after a while it's fairly easy to you know to attribute 0:19:25.660000 --> 0:19:30.580000 a certain IPs no matter the number to a particular threat actor but now 0:19:30.580000 --> 0:19:36.460000 you know APT groups are are actually starting to do this where they you 0:19:36.460000 --> 0:19:40.500000 know never use the same IP address or the same cloud hosting provider 0:19:40.500000 --> 0:19:46.480000 for their VPSs or their SE to infrastructure again or they don't use them 0:19:46.480000 --> 0:19:52.320000 more than once and so IUCs you know an IP based on network based IUC that 0:19:52.320000 --> 0:19:58.960000 you know was functional a while back is now irrelevant because that same 0:19:58.960000 --> 0:20:05.500000 threat actor does not use you know those the IP addresses or IP blocks 0:20:05.500000 --> 0:20:09.640000 that have been flagged as malicious another limitation is that encrypted 0:20:09.640000 --> 0:20:13.820000 traffic may obscure payloads or specific indicators and this again ties 0:20:13.820000 --> 0:20:18.900000 down to the increasing complexity or the advancement of threat actors 0:20:18.900000 --> 0:20:23.020000 and APT groups and they don't even necessarily need to be that advanced 0:20:23.020000 --> 0:20:29.140000 a lot of C2 frameworks for example now allow you to well they've always 0:20:29.140000 --> 0:20:34.080000 allowed you but it's fairly easy now to you know set up an SSL set and 0:20:34.080000 --> 0:20:38.400000 encrypt the traffic so whereas you may find you know some interesting 0:20:38.400000 --> 0:20:44.200000 traffic you know some interesting outbound traffic analyzing it from the 0:20:44.200000 --> 0:20:50.100000 perspective of going to be almost impossible because the traffic is encrypted 0:20:50.100000 --> 0:20:53.460000 so when it's encrypted you don't really you can't really confirm and say 0:20:53.460000 --> 0:20:57.200000 hey this is definitely malicious because I can see commands being sent 0:20:57.200000 --> 0:21:03.200000 in you know and we can see the callback is sending information that is 0:21:03.200000 --> 0:21:07.360000 indicative of a C2 callback in any case those are the limitations I don't 0:21:07.360000 --> 0:21:11.100000 want to dive too deep into the nitty gritty here but then you have your 0:21:11.100000 --> 0:21:15.380000 file based IOCs these are very common you probably think of IOCs in this 0:21:15.380000 --> 0:21:20.280000 context so these relate to specific files or file characteristics associated 0:21:20.280000 --> 0:21:25.200000 with malicious software or activity in general right and examples would 0:21:25.200000 --> 0:21:31.740000 be file hashes so think of MD5 file hashes SHA-1, SHA-256 or known malware 0:21:31.740000 --> 0:21:36.980000 or droppers right and another example would be suspicious file names or 0:21:36.980000 --> 0:21:41.980000 file parts as we took a look at when we were going through the effectively 0:21:41.980000 --> 0:21:50.780000 using the effectively using L-collab you know we were essentially performing 0:21:50.780000 --> 0:21:56.480000 these types of searches and based on what we found or you know the searches 0:21:56.480000 --> 0:22:01.080000 that we were creating for malicious activity we could then create an indicator 0:22:01.080000 --> 0:22:04.800000 of compromise or you know what we found would be considered an indicator 0:22:04.800000 --> 0:22:10.700000 of compromise it just needed to be operationalized or utilized as an indicator 0:22:10.700000 --> 0:22:15.440000 of compromising the form of a detection rule but you know think of suspicious 0:22:15.440000 --> 0:22:22.380000 file names or file parts like app data bad file.exe or quite commonly 0:22:22.380000 --> 0:22:35.900000 the temp fold in the windows you know the root of another example would 0:22:35.900000 --> 0:22:40.480000 be digital certificates used to sign malware so especially reused or stolen 0:22:40.480000 --> 0:22:46.420000 ones file size or metadata normally so think of you know large hidden 0:22:46.420000 --> 0:22:52.020000 files those are very good quite common indicators of compromise or as 0:22:52.020000 --> 0:22:56.560000 you'd say let me be specific file based indicators of compromise so the 0:22:56.560000 --> 0:23:02.740000 use cases of file based IOCs are you know a very useful and for identifying 0:23:02.740000 --> 0:23:07.360000 and blocking known malware not unknown unless you're analyzing malware 0:23:07.360000 --> 0:23:11.820000 yourself in your organization actually does that but if it's not known 0:23:11.820000 --> 0:23:18.800000 then there's no hash there's no IOC then you know it's only useful for 0:23:18.800000 --> 0:23:25.680000 verifying and blocking known malware then you have you know the fact that 0:23:25.680000 --> 0:23:29.980000 it can be scanned for at scale across endpoints or mail systems that is 0:23:29.980000 --> 0:23:34.780000 correct and self-explanatory now the limitations of file based IOCs are 0:23:34.780000 --> 0:23:40.220000 that A they're highly volatile which I already explained early on the 0:23:40.220000 --> 0:23:45.200000 fact that you know attackers or threat actors change the malware they're 0:23:45.200000 --> 0:23:50.540000 using or make very small adjustments to the code in the malware will mean 0:23:50.540000 --> 0:23:54.840000 it's the same malware right but if they make a small change to it that 0:23:54.840000 --> 0:24:01.380000 changes the hash of that malware and now your IOC or your detection rule 0:24:01.380000 --> 0:24:08.160000 that's based on an IOC of the very same piece of malware you know is not 0:24:08.160000 --> 0:24:12.580000 going to work because the attackers changed the malware ever so slightly 0:24:12.580000 --> 0:24:18.500000 even just removing you know one word or one line of code will change the 0:24:18.500000 --> 0:24:24.900000 hash of that you know piece of malware or executable and that's one of 0:24:24.900000 --> 0:24:29.860000 the limitations that's quite common right another limitation is that adversaries 0:24:29.860000 --> 0:24:34.560000 often use polymorphic or packed malware to bypass hash based detection 0:24:34.560000 --> 0:24:39.980000 which is sort of what I was alluding to so that's those are file based 0:24:39.980000 --> 0:24:45.440000 IOCs and then you have behavioral IOCs right so these as the name suggests 0:24:45.440000 --> 0:24:50.720000 are patterns of activity or anomalies that suggest malicious intent regardless 0:24:50.720000 --> 0:24:56.240000 of the specific tools or files used so what does that mean exactly well 0:24:56.240000 --> 0:25:01.800000 let's take a look at some examples so think of patterns of activity and 0:25:01.800000 --> 0:25:09.900000 you'll sort of intuit or infer what you know you'll sort of be able to 0:25:09.900000 --> 0:25:15.540000 deduce examples of behavioral IOCs one of which here would be abnormal 0:25:15.540000 --> 0:25:22.220000 login activity so logins think of logins from new geolocations at odd 0:25:22.220000 --> 0:25:27.380000 hours right that is an indicator of compromise behavioral indicator of 0:25:27.380000 --> 0:25:31.380000 compromise you then have unexpected process behavior so word launching 0:25:31.380000 --> 0:25:36.080000 PowerShell who what's that about where you should never be launching PowerShell 0:25:36.080000 --> 0:25:41.680000 unless unless of course someone wants to execute something and if you 0:25:41.680000 --> 0:25:45.700000 know you ask to ask yourself the either question is this really common 0:25:45.700000 --> 0:25:51.300000 in the environment that I'm monitoring do accountants need their word 0:25:51.300000 --> 0:25:56.460000 or excel documents to be running macros that then execute PowerShell or 0:25:56.460000 --> 0:26:00.340000 launch PowerShell and then execute some very interesting scripts probably 0:26:00.340000 --> 0:26:06.500000 not so behavioral IOC there another example lateral movement behavior 0:26:06.500000 --> 0:26:11.740000 so an example very good example here is the use of PSX sec or you know 0:26:11.740000 --> 0:26:18.040000 RDP into multiple systems another dead ringer and then persistence techniques 0:26:18.040000 --> 0:26:21.980000 a good example here would be modifications to the registry or scheduled 0:26:21.980000 --> 0:26:26.400000 tasks you know is that really something you see every day on your own 0:26:26.400000 --> 0:26:36.320000 windows computer do you how often do you fizz um how how often do you 0:26:36.320000 --> 0:26:41.340000 personally consciously modify the windows register I'm not talking about 0:26:41.340000 --> 0:26:45.280000 the registry modifications or changes as a result of installing new software 0:26:45.280000 --> 0:26:51.000000 or uninstalling new software because that can easily be be classified 0:26:51.000000 --> 0:26:57.060000 as again benign but you know a user launching red edit and you know mocking 0:26:57.060000 --> 0:27:02.200000 around or trying to access the hive via the you know command line arguments 0:27:02.200000 --> 0:27:09.240000 is uh that's an example of a behavioral indicator of compromise and it's 0:27:09.240000 --> 0:27:14.980000 based on anomalies right the fact that that type of activity is not is 0:27:14.980000 --> 0:27:19.920000 out of the ordinary it's an anomaly okay so the use cases as you probably 0:27:19.920000 --> 0:27:31.780000 could have uh could have inferred or intuited are this is harder to so 0:27:31.780000 --> 0:27:36.860000 you're sort of going beyond uh just looking at what uh attackers or threat 0:27:36.860000 --> 0:27:42.200000 actors are using but how they operate uh the other use case is they're 0:27:42.200000 --> 0:27:47.700000 very ideal for detecting novel or new um or sophisticated attacks and 0:27:47.700000 --> 0:27:55.020000 insider threats so behavioral indicators of compromise or behavioral base 0:27:55.020000 --> 0:27:59.440000 detection behavior base detection or anomaly base detection as it's called 0:27:59.440000 --> 0:28:05.340000 is sort of what a lot of the EDRs do uh by by virtue of you know how they 0:28:05.340000 --> 0:28:11.080000 work uh but behavioral indicators of compromise are very important for 0:28:11.080000 --> 0:28:14.660000 you to understand because it's the natural evolution of IOCs in any case 0:28:14.660000 --> 0:28:19.700000 there are some limitations the fact uh the you're probably already well 0:28:19.700000 --> 0:28:25.580000 asking us of the question well how exactly does an EDR or in the case 0:28:25.580000 --> 0:28:30.820000 of behavioral IOCs how exactly would you generate patterns of activity 0:28:30.820000 --> 0:28:37.680000 uh if you know the system hasn't been or an organization is just you know 0:28:37.680000 --> 0:28:41.000000 or a computer has just been active for like six months or a person has 0:28:41.000000 --> 0:28:46.080000 been using it for three months is that enough of um is that enough time 0:28:46.080000 --> 0:28:51.280000 for you to be able to say that hey this is what an um this is what standard 0:28:51.280000 --> 0:28:56.720000 use looks like and then based on that baseline derive what anomalies are 0:28:56.720000 --> 0:29:03.540000 as a um uh in this case an anomaly being anything that deviates from the 0:29:03.540000 --> 0:29:10.940000 baseline so to better explain it behavioral IOCs require base lining and 0:29:10.940000 --> 0:29:16.920000 context for example through the use of UEBA which I explained in the the 0:29:16.920000 --> 0:29:21.360000 previous two courses I think user and entity behavior analytics or as 0:29:21.360000 --> 0:29:28.720000 I mentioned EDR analytics and uh it goes without saying because of how 0:29:28.720000 --> 0:29:33.320000 it works you know it's going to be more prone to false positives if not 0:29:33.320000 --> 0:29:39.260000 tuned to the environment so you know in the previous video I gave you 0:29:39.260000 --> 0:29:44.760000 examples of how um if your detection rules are too broad then you know 0:29:44.760000 --> 0:29:51.000000 just writing a detection rule to uh um to detect instances of PowerShell 0:29:51.000000 --> 0:29:56.580000 being executed with uh quite a common uh command or command let's like 0:29:56.580000 --> 0:30:03.240000 download um download string or something like this um you know we we saw 0:30:03.240000 --> 0:30:08.020000 in the previous video that an administrator could be using the same script 0:30:08.020000 --> 0:30:12.080000 or the same command because it it is a legitimate command to download 0:30:12.080000 --> 0:30:16.900000 files uh you know if an administrator is using that then and you wrote 0:30:16.900000 --> 0:30:21.080000 a detection rule for it it is going to lead to false positives um and 0:30:21.080000 --> 0:30:28.320000 in this case the same logic applies because uh you know they um if we 0:30:28.320000 --> 0:30:32.180000 take let's say a windows system and uh you know let's say for six months 0:30:32.180000 --> 0:30:37.580000 PowerShell has never been executed on it and so basically a baseline uh 0:30:37.580000 --> 0:30:41.440000 you know there has been a base lining you know for the last six months 0:30:41.440000 --> 0:30:45.860000 there's been analytics etc all that good stuff and then an administrator 0:30:45.860000 --> 0:30:49.680000 all of a sudden goes on to that system and wants to perform some system 0:30:49.680000 --> 0:30:53.740000 administration they could even RDP into it doesn't really matter and then 0:30:53.740000 --> 0:30:58.180000 they execute PowerShell that's immediately gonna say or trigger and say 0:30:58.180000 --> 0:31:03.420000 hey this is uh something's fishy going on here of course if it without 0:31:03.420000 --> 0:31:07.800000 the context or without knowing that the administrator legitimately did 0:31:07.800000 --> 0:31:12.580000 it uh again that would be an indicator of compromise and that's those 0:31:12.580000 --> 0:31:18.400000 are the limitations so that brings us now to the common examples of IOCs 0:31:18.400000 --> 0:31:22.240000 which a lot of people begin with when they're getting into IOCs or trying 0:31:22.240000 --> 0:31:25.660000 to understand them which as I've mentioned is sort of the incorrect starting 0:31:25.660000 --> 0:31:30.840000 point because you really should be categorizing them so uh if I ask you 0:31:30.840000 --> 0:31:35.680000 I'll prove my point I'll prove my point if I ask you now uh could you 0:31:35.680000 --> 0:31:45.760000 tell me um what category uh of IOCs registry keys falls under you would 0:31:45.760000 --> 0:31:50.140000 already you would already be able to tell me and if we go back to file 0:31:50.140000 --> 0:31:58.040000 -based IOCs um you can see this here where did I point this out um let's 0:31:58.040000 --> 0:32:08.660000 see uh did I mention this here uh that's file-based so one second um I 0:32:08.660000 --> 0:32:12.680000 actually mentioned it in behavioral IOCs but it still applies to you know 0:32:12.680000 --> 0:32:17.340000 if the file system IOCs uh you know the bottom line is that you can understand 0:32:17.340000 --> 0:32:25.200000 um you know where IOCs fit with regards to the type of IOC they are so 0:32:25.200000 --> 0:32:31.100000 IP addresses is you know network-based IOC so I've provided the various 0:32:31.100000 --> 0:32:35.620000 types of IOCs or examples as it were and the description of them so you 0:32:35.620000 --> 0:32:40.740000 typically will be dealing with IOCs like IP addresses so this you know 0:32:40.740000 --> 0:32:44.280000 is a malicious or you know malicious or suspicious IPs used for command 0:32:44.280000 --> 0:32:49.200000 and control data exfiltration or scanning file hashes that's uh if I were 0:32:49.200000 --> 0:32:53.520000 to ask you what category does that fall under it's fairly uh by virtue 0:32:53.520000 --> 0:33:00.220000 of its name those are file-based uh IOCs so you know MD5 SHA-1 or SHA 0:33:00.220000 --> 0:33:05.540000 -256 hashes of known malicious files for example malware samples or droppers 0:33:05.540000 --> 0:33:10.240000 domains and URLs these are you know host names or specific web addresses 0:33:10.240000 --> 0:33:15.040000 used in phishing payload delivery or call back infrastructure email artifacts 0:33:15.040000 --> 0:33:20.000000 this is uh you know malicious sender addresses email subjects or attachments 0:33:20.000000 --> 0:33:25.200000 that have been used in phishing attacks previously registry keys so windows 0:33:25.200000 --> 0:33:29.220000 registry changes used for persistence or system manipulation by malware 0:33:29.220000 --> 0:33:34.320000 file names or paths so these are you know known malware or suspicious 0:33:34.320000 --> 0:33:39.680000 files stored in typical or obscure locations example temp.exe or unusual 0:33:39.680000 --> 0:33:46.680000 folders uh if you remember again the effectively using elk lab we went 0:33:46.680000 --> 0:33:51.900000 through a very good um uh demonstration and actually found what you would 0:33:51.900000 --> 0:33:57.260000 consider or classify as file-based IOCs when we're talking about you know 0:33:57.260000 --> 0:34:02.400000 identifying the locations of specific windows services that are masquerading 0:34:02.400000 --> 0:34:13.900000 or windows binaries that are masquerading as legitimate file-based IOC 0:34:13.900000 --> 0:34:18.560000 then you have process names so abnormal or masquerading process names 0:34:18.560000 --> 0:34:24.640000 like SVC host but instead of an O we have a zero or explorer.exe again 0:34:24.640000 --> 0:34:29.900000 with a zero that's uh again a very good example they have uh indicative 0:34:29.900000 --> 0:34:33.720000 compromise and then you have new taxes right so these are unique identifiers 0:34:33.720000 --> 0:34:39.180000 used by malware to avoid multiple instances running so very well uh or 0:34:39.180000 --> 0:34:42.660000 professionally developed malware is where you typically see mutexes and 0:34:42.660000 --> 0:34:46.400000 then beakening patterns that if i were to ask you you know that that is 0:34:46.400000 --> 0:34:50.500000 a network based indicator of compromise or regular and repetitive network 0:34:50.500000 --> 0:34:55.920000 traffic that signals C2 communication network artifacts so unusual port 0:34:55.920000 --> 0:35:00.280000 usage and cryptotraffic patterns or protocol anomaly so very very easy 0:35:00.280000 --> 0:35:04.560000 to understand once you uh you can basically categorize them or you understand 0:35:04.560000 --> 0:35:09.120000 what they refer to with regards to their use cases right as i outlined 0:35:09.120000 --> 0:35:15.880000 over here so hopefully that makes sense and now i'm gonna end this particular 0:35:15.880000 --> 0:35:21.240000 video uh with the process of identifying IOCs something you know you know 0:35:21.240000 --> 0:35:24.220000 we have done in this course although i didn't tell you we were doing it 0:35:24.220000 --> 0:35:29.740000 consciously but what is IOC identification or detection it's usually known 0:35:29.740000 --> 0:35:34.900000 as identification or detection but IOC identification is the process of 0:35:34.900000 --> 0:35:38.780000 discovering and recognizing keyword recognizing indicators of compromise 0:35:38.780000 --> 0:35:42.420000 within your environment or the environment that you're monitoring and 0:35:42.420000 --> 0:35:47.160000 protecting right and it's often as part of a triage threat hunting or 0:35:47.160000 --> 0:35:52.020000 instant response right and the goal is to extract and validate artifacts 0:35:52.020000 --> 0:35:56.740000 um that may signify malicious activity and the process of identifying 0:35:56.740000 --> 0:36:03.840000 IOCs entails the following so we have detection so this is you know security 0:36:03.840000 --> 0:36:09.980000 tools log or alert on suspicious behavior but the the key phases are you 0:36:09.980000 --> 0:36:14.500000 know from extraction onwards so extraction this is where analysts identify 0:36:14.500000 --> 0:36:21.000000 observable data points so think of IPs URLs file ashes registry keys etc 0:36:21.000000 --> 0:36:28.120000 and then correlation so you know systems and time to build patterns then 0:36:28.120000 --> 0:36:31.440000 you have enrichment where you validate against known databases and add 0:36:31.440000 --> 0:36:36.000000 context we'll be talking about our you see analysis and enrichment because 0:36:36.000000 --> 0:36:40.980000 they're sort of key to incident response um in the next video and then 0:36:40.980000 --> 0:36:45.100000 finally validation this is something that tier one analyst would be doing 0:36:45.100000 --> 0:36:51.500000 so decide if it's truly malicious benign or unknown um so that's that 0:36:51.500000 --> 0:36:57.940000 process um sort of explaining a couple more aspects of identifying IOCs 0:36:57.940000 --> 0:37:03.200000 I briefly mentioned detection sources I think it's important that I clarify 0:37:03.200000 --> 0:37:07.300000 that so IOC identification typically begins with data collected from security 0:37:07.300000 --> 0:37:12.600000 telemetry or logs in general and these sources captures suspicious behaviors 0:37:12.600000 --> 0:37:17.980000 artifacts and events right so once a potential IOC has surfaced it's subjected 0:37:17.980000 --> 0:37:22.020000 to correlation and contextual analysis to confirm its malicious nature 0:37:22.020000 --> 0:37:27.800000 so this is when you're now you know trying to identify indicators of compromise 0:37:27.800000 --> 0:37:33.640000 um you know we're not talking about using um you know publicly available 0:37:33.640000 --> 0:37:37.740000 indicators of compromise we're talking about exactly what we did in the 0:37:37.740000 --> 0:37:42.800000 effectively using L-clap and when we talk about correlation this is where 0:37:42.800000 --> 0:37:48.000000 you link the IOC to a similar events or alerts across different hosts 0:37:48.000000 --> 0:37:53.100000 or be known attack campaigns or malware families an example would be an 0:37:53.100000 --> 0:37:57.100000 IP observed in outbound traffic is linked to a known phishing domain also 0:37:57.100000 --> 0:38:02.260000 detected in a recent email so you know that's an example a specific to 0:38:02.260000 --> 0:38:11.380000 to IOC correlation and identification okay so that brings us to the end 0:38:11.380000 --> 0:38:14.820000 I wanted to do in terms of introducing you to indicators of compromise 0:38:14.820000 --> 0:38:19.120000 I know you may be asking yourself another question about what about indicators 0:38:19.120000 --> 0:38:22.700000 of attack are you here that they're quite relevant to instant response 0:38:22.700000 --> 0:38:26.820000 and you're right we'll get to that when it becomes relevant because there's 0:38:26.820000 --> 0:38:29.980000 no point at going through all of this stuff theoretically and not having 0:38:29.980000 --> 0:38:34.740000 the ability to contextualize it or to see what um you know they look like 0:38:34.740000 --> 0:38:41.020000 whether we're talking about IOCs or IOAs um in real life so in the next 0:38:41.020000 --> 0:38:47.980000 video we're going to be um you know finalizing the um triage and escalation 0:38:47.980000 --> 0:38:53.480000 section of this course by taking a look at um the process of uh analyzing 0:38:53.480000 --> 0:38:59.880000 and enriching IOCs and you in the next video you'll see specifically why 0:38:59.880000 --> 0:39:03.600000 this is important to you with that being said that's going to be it for