Compromise Indicator Magic
Authors: Fyodor Yarochkin, Vladimir Kropotov and Vitaliy Chetvertakov
During this hands-on lab Vladimir, Fyodor and Vitaliy will cover an interesting concept of compromise indicators and use of compromise indicators in pro-active incident response and forensic investigation process. The team has developed a framework and a platform that allows integration of various IOC formats into dynamic defense framework. The framework allows integration of various 3rd party-encoded indicators (such as CyBox, OpenIOC, etc.) and provides facilities to perform individual IOC characteristic mapping to known/existing Indicators of Compromise. The input can be provided in form of an IP address, a hash, a URL, a process of executable name, an executable behavior characteristic and so on. The output of indicators of compromise can be produced in form of: snort rule(s), Yara rule(s), or a hunt description for GRR Rapid Response Framework. The researchers will demonstrate an applied process of identifying, mining and refining IOCs as well as running "IOC sweeps" on available data sources. Several tools will be demonstrated (including passive DNS, passive HTTP frameworks developed by authors) in these examples as well as possibilities of integration with 3rd party tools, such as Splunk, Moloch and so on.
The researchers will also discuss the implementation of IOC sharing policies and facilitation of such shares and will walk attendees through series of simulated case studies including breach simulations, customized rootkits detection and use of framework to detect, refine, redeploy and sweep for potential indicators of compromise.
All the provided tools are to be released open-source.
Fyodor Yarochkin is a security analyst at Academia Sinica, Chroot Study Group.
Vladimir Kropotov is an information security analyst and independent researcher.
Vitaliy Chetvertakov is a security analyst and independent researcher.