Threat Research Blog

Combat the APT by Sharing Indicators of Compromise

At MANDIANT, we value human intelligence - ground-truth, intelligent decision-making and adapting to your enemy's tactics. Since expert humans can't be everywhere, we've built a means to exchange enough ground-truth and decision-making so security experts can spend more energy applying expertise, less time parsing and pruning stale datasets and leverage their expertise across organizations and between compromises.

Historically, compromise data has been exchanged in CSV or PDFs laden with tables of "known bad" malware information - name, size, MD5 hash values and paragraphs of imprecise descriptions supplemented by ad-hoc exchanges between targets.

MANDIANT, inspired by field pressures, operation after operation, imagined a way to exchange not only indicators of specific compromises but structures which formalize the human-intelligence of decision-making, rules, exceptions, and ongoing adaptability. Our Indicators of Compromise (IOCs) were shaped operationally detecting real-world threats. We help our clients detect the APT right now, and they're exchanging information about it using IOCs.

Conventional compromise datasets consist of table after table of immediately-stale data capturing few, if any, relationships. An Indicator of Compromise (IOC), however, is a Boolean decision tree that discriminates an indicator from a false-positive, theory from ground truth. What's more, when you discover an exception or extension to a well-known-IOC you can describe it concisely and proactively, authenticate its source and re-evaluate your existing data to detect new instances of old compromises. This way, as a threat group adapts to your detections, you retain an IOC's identity and maintain the value of intelligence shared with other targets over time.

Importantly, IOC is industry-standard XML so you already have tools and a community of experts who can comprehend, transform, and leverage new data immediately. Unlike many XML standards however, it's simple - developed operationally with an eye toward staying adaptable, transformable, and scalable. IOC describes relationships which indicate compromise - this makes the format resilient to new data formats, data sources and decision engines.

At DoD CyberCrime 2010 MANDIANT will formally release this format and tools to leverage it in your investigations today. We'll have full coverage of the release on M-unition - stay tuned.