Indicator aging.. this is one of the questions we get asked ALL of the time. And I've been asked for MANY years... "How do you qualify indicators and clean out the old ones?" When companies harvest hundreds of thousands of 'IOCs' every month, how do they qualify the good ones over the not so good? When is an IOC outdated? How do you know?
Great questions all. Heck, even my own staff asks this question..
Here's the deal. Targeted attackers don't pull out the good stuff until they need it.
- This week we answered questions about new variants associated with a TTP from early 2012.
- Every now and again we see WIN XP malware pop up, or better yet, WIN XP VPN! If you've not had the realization yet, nearly every remote access solution associated with Windows XP is compromised. And every now and again, we see them pop up --especially for users who simply don't want to pay for the upgrade (BIG mistake).
Here's the problem.
There are some great pieces of work out that help users understand and correlate the all of this information. The taxonomies being developed to classify, prioritize and share indicators are heavy on
detail and give you the ability to sift through all of the information for the things you need. As an example, I've included the architecture of a Mitre developed taxonomy called Structured Threat Information Exchange (STIX for short). STIX is a great way of characterizing all of the information that might help analysts determine the best prioritization for their own use, but at the same time, the idea of its use can be quite overwhelming. It certainly is not for the new user. Why? Look at the blocks. For every block on the diagram, data must be collected, normalized, stored, retrieved, analyzed and correlated. Wow. So today, the likes of Mitre and a handful of large companies with R&D shops, who can afford to build it and integrate it are using this framework. In a few years when the data is more complete, we'll be really glad we have this. For now however, if you need to parse out old indicators because you believe they're no longer relevant, well, I hope you don't filter out the wrong ones.
My XP SP1 example is highly simplified of course, but in a world of global IOCs being pushed to individual companies, the answer is simply this... you, as the owner of risk management in your organization must decide how to prioritize the indicators and how you deploy protections. Nobody else can do it for you.
We ended the year with a flurry of activity. Who said the Holiday Season is time to slow down?! We were FLAT OUT!
- 12/31/13 - FS-ISAC: Our first piece of work product was delivered to the FS-ISAC on New Years Eve Day, marking the start of what we hope to be a great long-term relationship between Wapack Labs and the FS-ISAC. The submission was a priority intelligence report that was posted to both FS-ISAC and to Red Sky Alliance members, offering warnings of impending New Years Day attacks.
- 12/31/13 - Fusion Report 31: In November and December of 2013, Red Sky received information regarding an APT campaign that leveraged a previously unobserved malware. Several infection vectors were observed including the leveraging of Microsoft Word vulnerability CVE2013-3906, a malicious JPG file, and a LNK downloader. The majority of activity appeared to be targeted at Japanese companies; however several additional variants were uncovered and may have affected non-Japanese entities. This report detailed information on the leveraged malware, exploit vectors, and observed targeting. Red Sky has named this new malware family for future tracking and attribution. As with all Fusion Reports, Red Sky members were provided with snort and yara rules, and a list of LM Kill Chain formatted indicators.
- 12/28/13 - Priority Intelligence Report:
- at the request of an Icelandic Information Security partner Syndis. The study offers a third party perspective of issues associated with Iceland's use as a offshore hosting location for foreign enterprise. The report is being delivered by Syndis to Icelandic officials as we speak, and will be posted in the Red Sky portal sometime next week.
- ...and we added one new large enterprise financial company to the membership. Welcome!