The Limitations of IOCs

8 April 2021

The Associated Press recently reported that email addresses of top DHS officials had been compromised as part of the massive SolarWinds hack. According to a DHS spokesperson, “a small number of employees’ accounts were targeted in the breach” and the agency “no longer sees indicators of compromise on our networks.” But what does that actually mean?

In days long gone, indicators of compromise (IOCs) were the lifeblood of infosec, whether from feeds, blogs, threat intelligence reporting, or private groups like ISACs. “They were the currency analysts and security teams traded in and the foundation of most programs,” said Tim Stahl, Director of Threat Intelligence at Prevailion.

And while they are still an important component of a security program, the value of IOCs has diminished significantly due to the increasing complexity of modern attacks. “As attack complexity grows, the number of IOCs required to reliably detect malicious activity has grown exponentially, with the value of individual IOCs diminishing. There are a variety of elements driving this trend,” Stahl said. The reality is that IOCs have their limitations.

What’s Changed with IOCs

Nearly a decade ago, Dark Reading shared a list of the Top 15 Indicators of Compromise to watch for. These included anomalies in privileged user account activity and unusual outbound traffic network as the top two IOCs, but with the increasing sophistication and complexity of modern attacks , defenders must now consider a significantly larger set of IOCs to catch malicious activity. 

In large part, this exponential growth is due to the tools and services available for sale on underground forums, which continues to advance the capabilities of even less experienced attackers. “Crimeware as a service has grown into big business over the last decade, segmenting and specializing elements that were once the purview of the most skilled and well funded APT groups,” Stahl said. Now we are seeing advanced tools like ransomware sold online, along with a variety of specialized services including: malware distribution via spam/phishing, DDoS, malware packing, cryptocurrency laundering, AV detection validation (VirusTotal type service), and more. 

In the on-going battle between attackers and defenders, malware and attack methods are advancing in complexity, which is further illustrated in the security products and controls used in phishing. “As detection products have gotten better at analysis and detection of malicious URLs embedded within phishing emails, attacks have increased the number of steps between the URL delivered in a phishing email and the end infection to avoid detection,” Stahl explained. Enhanced detection abilities made it possible to directly link to a piece of malware, so attackers added more levels of redirection to outpace the ability of email security appliances to follow and reliably detect and classify them. 

The problem is that each level of redirect, across multiple domains or IPs, generates more IOCs. “A single phishing campaign may leverage multiple redirect chains leading to the delivery of the actual malware, again increasing the total number of related IOCs,” Stahl said. “While the burden of collecting, distributing and implementing these IOCs in a security program grows, the lifespan of their usefulness has diminished. Phishing related IOCs generally have a lifespan that is more appropriately measured in hours than days, so by the time they are identified, collected and applied they have limited value for defense.”

Evolution of Malware

Many malware infection chains have evolved into multi-step processes that involve a variety of specialized malware elements working together to deliver the final infection. For example, a phishing email containing an infected Office document will contain a script that executes acting as a ‘dropper’. It’s only function is to write another small piece of malware onto the system and execute it. This second stage malware generally acts as a ‘loader’ which may download another malware element from a staging server on the Internet. That malware may then contact a different server on the internet for additional modules or instructions, leading to the final infection which may contact the eventual command and control (C2) server. 

“This is a fairly common scenario that Prevailion’s Threat Intelligence team investigates on an almost daily basis,” Stahl said. “For anyone counting along the output of this type of infection chain will generate at least four hashes (infected document, dropper, loader, final malware) and in most cases also includes other malware elements dropped on a system to main persistence. There are also domain/IP related IOCs for the staging server, the intermediate C2, and the final C2.”

Today’s modern infection chain can involve many layers of IOCs. The problem is that most of these IOCs are ephemeral. Outside of the final C2 the rest of the elements will have limited value over time. Attackers will repack elements to alter their hashes and negate currently known IOCs, staging servers tend to be used for a limited time as well. Security teams are left with a large surface area to monitor, and while they may have access to multiple IOCs for an infection chain, they may not have all the security tools/appliances, or logging elements enabled, for complete visibility into an attack. 

The Call for Visibility

In addition to the challenge of ephemeral IOCs, security teams are also dealing with gaps in visibility. As the Biden Administration navigates the wreckage in the aftermath of the SolarWinds hack, we are repeatedly hearing calls for visibility into government networks. Recognizing that many detection strategies are more miss than hit, we are hearing leaders of federal agencies calling for improved cybersecurity, while recognizing that modernizing cyber defenses, “will involve having greater visibility into federal networks and IT systems.”

At issue for the public and private sector is that most IOC feeds are delivered in bulk with little to no indication of which elements correlate with which stage of an attack is a problem only, as security teams can’t discern whether an IOC relates to a specific infection chain. “Overall there are simply too many gaps, too little context about individual IOCs, and too much lag between attack, detection, classification of IOCs and final delivery so that they can be ingested and applied to the security team’s detection strategy,” Stahl said.

To fill the gaps, security teams need complete visibility into an attack and the ability to use Evidence of Compromise (EOC) in context in order to decrease the lag between attack and detection in order to respond in real time. 

The Latest

Diving Deep into UNC1151’s Infrastructure: Ghostwriter and beyond

Introduction: Prevailion’s Adversarial Counterintelligence Team (PACT) is using advanced infrastructure hunting techniques and Prevailion’s unparalleled visibility into threat actor infrastructure creation to uncover previously unknown domains associated with UNC1151 and the “Ghostwriter” influence campaign.  UNC1151 is likely a state-backed threat actor [1] waging an ongoing and far-reaching influence campaign that has targeted numerous countries across […]

Prevailion CEO, Karim Hijazi- Biden’s Cybersecurity Strategy

Prevailion CEO, Karim Hijazi, comments on lacking White House cybersecurity efforts Karim Hijazi lays out why Biden’s cybersecurity strategy lacks innovation and effectiveness to deal with modern adversaries already inside companies around the globe.    

Prevailion CEO, Karim Hijazi- Tmobile Hack

Prevailion CEO, Karim Hijazi, talks about the T-Mobile hack and cloned SIM cards Karim Hijazi says T-Mobile’s breach is the largest in carrier history and discusses SIM swapping and other forms of identity theft.    

Copyright 2021 Prevailion, Inc. All rights reserved.    

Disclaimer: Gartner “Cool Vendors in Security Operations and Threat Intelligence,” Mitchell Schneider, Ruggero Contu, John Watts, Craig Lawson, October 13, 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner Disclaimer: The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.