Understanding Indicators
0 likes148 views
The document provides an in-depth exploration of the concept of indicators in information security, emphasizing the confusion surrounding their definitions and uses. It argues for the importance of understanding the context and significance of indicators to enhance their effectiveness in detecting malicious behavior. Furthermore, it highlights the necessity of precise language and clear communication to improve outcomes in security analysis.
Understanding Indicators
- 1. Understanding Indicators Towards An Information Security Ontology Joe Slowik
- 2. An Overview Of Indicators A Digression On Language Reimagining Indicators & Observations Conclusions Today’s Agenda
- 4. © Huntress Labs. All rights reserved Indicators 4 An Overview Of Indicators
- 5. © Huntress Labs. All rights reserved What Is An Indicator? 5 An Overview Of Indicators Indicator “Data Point” Sign Of Event Enables Sharing
- 6. © Huntress Labs. All rights reserved “Indicators” 6 An Overview Of Indicators
- 7. © Huntress Labs. All rights reserved “Indicators” 7 An Overview Of Indicators
- 8. © Huntress Labs. All rights reserved “Indicators” 8 An Overview Of Indicators “Indicator” Is An Overloaded Concept!
- 9. © Huntress Labs. All rights reserved “Indicators” 9 An Overview Of Indicators “Indicator” Is An Overloaded Concept! Many Terms Used Interchangeably
- 10. © Huntress Labs. All rights reserved “Indicators” 10 An Overview Of Indicators “Indicator” Is An Overloaded Concept! Many Terms Used Interchangeably Result Is Confusion In Purpose, Meaning
- 11. © Huntress Labs. All rights reserved “Indicators” 11 An Overview Of Indicators
- 12. © Huntress Labs. All rights reserved Indicators In A Perfect World 12 An Overview Of Indicators
- 13. © Huntress Labs. All rights reserved Indicators In A Perfect World 13 An Overview Of Indicators Understand The Purpose, Function, & Significance Of A Given Indicator, Why It Matters & When It Was Observed Context
- 14. © Huntress Labs. All rights reserved Indicators In A Perfect World 14 An Overview Of Indicators Understand The Purpose, Function, & Significance Of A Given Indicator, Why It Matters & When It Was Observed Context Indicator Is Tightly Correlated To Adversary Activity, Resulting In High-Confidence Link To Malicious Behavior When Observed Accuracy
- 15. © Huntress Labs. All rights reserved Indicators In A Perfect World 15 An Overview Of Indicators Understand The Purpose, Function, & Significance Of A Given Indicator, Why It Matters & When It Was Observed Context Indicator Is Tightly Correlated To Adversary Activity, Resulting In High-Confidence Link To Malicious Behavior When Observed Accuracy Indicator Enables Some Action Or Understanding To Take Place - From A Simple Block/Alarm To Adversary Understanding Applicability
- 16. © Huntress Labs. All rights reserved Indicators In A Perfect World 16 An Overview Of Indicators
- 17. © Huntress Labs. All rights reserved The “Birth” Of An Indicator 17 An Overview Of Indicators
- 18. © Huntress Labs. All rights reserved The “Birth” Of An Indicator 18 An Overview Of Indicators Continuous Refinement & Enrichment Is Necessary To Go Beyond “Mere Data” To “Something Happened” (Observable) To Something Of Interest Identified (Indicator)
- 19. © Huntress Labs. All rights reserved 19 An Overview Of Indicators “Indicator” & “IOC” Are Used Interchangeably Time & Events
- 20. © Huntress Labs. All rights reserved 20 An Overview Of Indicators “Indicator” & “IOC” Are Used Interchangeably IOC Is A Sign Of Something That HAPPENED Time & Events
- 21. © Huntress Labs. All rights reserved 21 An Overview Of Indicators “Indicator” & “IOC” Are Used Interchangeably IOC Is A Sign Of Something That HAPPENED How Do We Refer To Things Yet-To-Be? Time & Events
- 22. © Huntress Labs. All rights reserved Time & Events 22 An Overview Of Indicators Indicators Sourced OUTSIDE Of Or PRIOR TO An Event Cannot Be Indicators Of (Known) Compromise - So What Are These???
- 23. © Huntress Labs. All rights reserved Time & Events 23 An Overview Of Indicators Indicators Sourced OUTSIDE Of Or PRIOR TO An Event Cannot Be Indicators Of (Known) Compromise - So What Are These??? No (Good) Answers - Yet?
- 24. © Huntress Labs. All rights reserved Indicators In Reality 24 An Overview Of Indicators Lack Of Context ● Indicators Are Frequently Shared Absent Context! ● Minimal Enrichment & Metadata Provided To Disposition & Determine! ● Indicators Are Effectively “Raw Data”
- 25. © Huntress Labs. All rights reserved Indicators In Reality 25 An Overview Of Indicators Lack Of Context ● Indicators Are Frequently Shared Absent Context! ● Minimal Enrichment & Metadata Provided To Disposition & Determine! ● Indicators Are Effectively “Raw Data” Limited Scope ● “Indicators” Are Provided “As Is” ● Difficult To Extrapolate From Single Technical Artifact To Something More ● Purpose, Function, & Creation Observations Are Not Considered
- 26. © Huntress Labs. All rights reserved Indicators In Reality 26 An Overview Of Indicators
- 27. © Huntress Labs. All rights reserved Indicators In Reality 27 An Overview Of Indicators
- 28. © Huntress Labs. All rights reserved Indicators In Reality 28 An Overview Of Indicators Indicators Have Effectively Become Equivalent With Raw Data - Sense Of Context & Enrichment Is Lost Or Ignored
- 29. © Huntress Labs. All rights reserved Indicators & Adversary Operations 29 An Overview Of Indicators
- 30. © Huntress Labs. All rights reserved Indicators & Adversary Operations 30 An Overview Of Indicators Technical Indicators Are SPECIFIC IDENTIFIERS
- 31. © Huntress Labs. All rights reserved Indicators & Adversary Operations 31 An Overview Of Indicators Technical Indicators Are SPECIFIC IDENTIFIERS PARTICULAR Example Of A GENERAL Behavior
- 32. © Huntress Labs. All rights reserved Indicators & Adversary Operations 32 An Overview Of Indicators Technical Indicators Are SPECIFIC IDENTIFIERS PARTICULAR Example Of A GENERAL Behavior Focus On Indicators Ignores What Gave Them Birth
- 34. © Huntress Labs. All rights reserved Isn’t This All Nitpicking? 34 A Digression On Language
- 35. © Huntress Labs. All rights reserved But… 35 A Digression On Language
- 36. © Huntress Labs. All rights reserved The Importance Of Accurate Language 36 A Digression On Language
- 37. © Huntress Labs. All rights reserved The Importance Of Accurate Language 37 A Digression On Language Language Defines How We Communicate & Understand Concepts
- 38. © Huntress Labs. All rights reserved The Importance Of Accurate Language 38 A Digression On Language Language Defines How We Communicate & Understand Concepts Accurate Language & Its Use Facilitates Follow-On Action & Comprehension
- 39. © Huntress Labs. All rights reserved The Importance Of Accurate Language 39 A Digression On Language Language Defines How We Communicate & Understand Concepts Accurate Language & Its Use Facilitates Follow-On Action & Comprehension We Need To Critically Examine How We Describe Matters For Accuracy!
- 40. © Huntress Labs. All rights reserved Outcomes Of Indifferent Language 40 A Digression On Language
- 41. © Huntress Labs. All rights reserved Outcomes Of Indifferent Language 41 A Digression On Language Overlapping Meanings & Purposes As Terms Collide
- 42. © Huntress Labs. All rights reserved Outcomes Of Indifferent Language 42 A Digression On Language Overlapping Meanings & Purposes As Terms Collide Inhibits Understanding, Engenders Confusion, & Leads To Poor Outcomes
- 43. © Huntress Labs. All rights reserved Outcomes Of Indifferent Language 43 A Digression On Language Overlapping Meanings & Purposes As Terms Collide Inhibits Understanding, Engenders Confusion, & Leads To Poor Outcomes Improper, Inaccurate Language Use Results In Suboptimal Results!
- 44. © Huntress Labs. All rights reserved Defining “Indicator” 44 A Digression On Language The Word “Indicator” & Its Relatives May Appear Inconsequential Save For Their Use - But Being “Loose” With Details & Explanations Can Be Dangerous!
- 45. © Huntress Labs. All rights reserved Dangers Of Loose Language 45 A Digression On Language Interpreting Common Items As Specific To A Threat Falsely Identifying Unique Characteristics Mis-Applying Intelligence Items To Defense Defending On Lagging Characteristics Over Confidence Based On Specific Observations
- 46. © Huntress Labs. All rights reserved “Death Of The Indicator” 46 A Digression On Language
- 47. © Huntress Labs. All rights reserved “Death Of The Indicator” 47 A Digression On Language
- 48. © Huntress Labs. All rights reserved “Death Of The Indicator” 48 A Digression On Language
- 49. © Huntress Labs. All rights reserved “Death Of The Indicator” 49 A Digression On Language
- 50. © Huntress Labs. All rights reserved “Death Of The Indicator” 50 A Digression On Language “Indicator” Has Become A “Bad Word” In Infosec & CTI - But Maybe That’s Because We’ve Played Fast-And-Loose With The IDEA Of An Indicator
- 52. © Huntress Labs. All rights reserved What Is An Indicator? 52 Reimagining Indicators & Observations
- 53. © Huntress Labs. All rights reserved What Is An Indicator? 53 Reimagining Indicators & Observations Indicator
- 54. © Huntress Labs. All rights reserved What Is An Indicator? 54 Reimagining Indicators & Observations Indicator Technical Observable Artifact Of Compromise Behavioral Artifact
- 55. © Huntress Labs. All rights reserved What Is An Indicator? 55 Reimagining Indicators & Observations Indicator Technical Observable Artifact Of Compromise Behavioral Artifact Communication Object Forensic Item Intelligence Observable
- 56. © Huntress Labs. All rights reserved One Indicator, Many Meanings 56 Reimagining Indicators & Observations
- 57. © Huntress Labs. All rights reserved One Indicator, Many Meanings 57 Reimagining Indicators & Observations Indicators Have MANY Applications
- 58. © Huntress Labs. All rights reserved One Indicator, Many Meanings 58 Reimagining Indicators & Observations Indicators Have MANY Applications Multiple Applications Lead To Multiple Views
- 59. © Huntress Labs. All rights reserved One Indicator, Many Meanings 59 Reimagining Indicators & Observations Indicators Have MANY Applications Multiple Applications Lead To Multiple Views Application-Centric Understanding Is Necessary!
- 60. © Huntress Labs. All rights reserved Indicators Pre- & Post-Action 60 Reimagining Indicators & Observations
- 61. © Huntress Labs. All rights reserved Indicators Pre- & Post-Action 61 Reimagining Indicators & Observations Indicators As Technical Observations Of An Action Or Event
- 62. © Huntress Labs. All rights reserved Indicators Pre- & Post-Action 62 Reimagining Indicators & Observations Origins Of The Technical Observation & Its Behavior Indicators As Technical Observations Of An Action Or Event Applications Of The Indicator & Its Use
- 63. © Huntress Labs. All rights reserved Indicators Pre- & Post-Action 63 Reimagining Indicators & Observations POST Observation Indicators Diversify Into Their Applications & Use. PRE Observation Characteristics Enable Researchers To Identify Trends & Tendencies!
- 64. © Huntress Labs. All rights reserved Creating Indicators, Revisited 64 Reimagining Indicators & Observations Data Observation Indicator
- 65. © Huntress Labs. All rights reserved Creating Indicators, Revisited 65 Reimagining Indicators & Observations
- 66. © Huntress Labs. All rights reserved Creating Indicators, Revisited 66 Reimagining Indicators & Observations Collection & Telemetry Provides Data
- 67. © Huntress Labs. All rights reserved Creating Indicators, Revisited 67 Reimagining Indicators & Observations Collection & Telemetry Provides Data Data Is Refined Into Observations That Can Relate To Activity Of Interest
- 68. © Huntress Labs. All rights reserved Creating Indicators, Revisited 68 Reimagining Indicators & Observations Collection & Telemetry Provides Data Data Is Refined Into Observations That Can Relate To Activity Of Interest Analysis Of Observations & Incidents Ties These To Activity - Producing Indicators
- 69. © Huntress Labs. All rights reserved INDICATORS!!! 69 Reimagining Indicators & Observations Indicators Are A Sign That “Something” Has Taken Place - POST Observations Inform WHY Those Actions Occurred - PRE Observations Tell Us HOW. The Key To Cracking Indicators Is Breaking Them Apart To Reveal More About HOW.
- 70. © Huntress Labs. All rights reserved Indicators & Components 70 Reimagining Indicators & Observations Malicious File Object File Hash ITW Name Compile Info Strings Functions & Actions Meta- Data
- 71. © Huntress Labs. All rights reserved Indicators & Components 71 Reimagining Indicators & Observations Network Indicator Registrar TLD Or Naming Hosting Provider Name Servers SSL/TLS Info Hosting Geo
- 72. © Huntress Labs. All rights reserved Indicators As Composite Objects 72 Reimagining Indicators & Observations
- 73. © Huntress Labs. All rights reserved Indicators As Composite Objects 73 Reimagining Indicators & Observations Understanding Components Reveals Indicator Complexity!
- 74. © Huntress Labs. All rights reserved Indicators As Composite Objects 74 Reimagining Indicators & Observations Understanding Components Reveals Indicator Complexity! Composite Nature Of Indicators Reveals Underlying Behaviors!
- 75. © Huntress Labs. All rights reserved Indicators As Composite Objects 75 Reimagining Indicators & Observations Understanding Components Reveals Indicator Complexity! Composite Nature Of Indicators Reveals Underlying Behaviors! Enables Intelligence & Forward-Looking Action!
- 76. © Huntress Labs. All rights reserved Indicators As Composite Objects 76 Reimagining Indicators & Observations
- 77. Conclusions
- 78. © Huntress Labs. All rights reserved Where Are We Now? 78 Conclusions The Idea Of An “Indicator” Is A Surprisingly Complex Topic! Understanding WHAT They Are And HOW They Are Created Is Vital!
- 79. © Huntress Labs. All rights reserved Clarity In Language & Vision 79 Conclusions
- 80. © Huntress Labs. All rights reserved Clarity In Language & Vision 80 Conclusions Analysts Must Understand WHAT They’re Communicating & WHY
- 81. © Huntress Labs. All rights reserved Clarity In Language & Vision 81 Conclusions Analysts Must Understand WHAT They’re Communicating & WHY Clarity In Communication SHOULD Lead To Clearer Results & Action
- 82. © Huntress Labs. All rights reserved Clarity In Language & Vision 82 Conclusions Analysts Must Understand WHAT They’re Communicating & WHY Clarity In Communication SHOULD Lead To Clearer Results & Action Focus On What We KNOW & How To Communicate It To Others!
- 83. © Huntress Labs. All rights reserved Toward A Recognized Ontology 83 Conclusions Discipline Around “Indicator,” “Observable,” “Data,” “IOC,” & Similar May Seem Pedantic. But With Controlled Statements & Understanding We Can Achieve Clearer, More Accurate Communication - And Follow-On Action!
- 85. © Huntress Labs. All rights reserved Selected Resources 85 ● Analyzing Network Infrastructure As Composite Objects, Joe Slowik (https://www.domaintools.com/resources/blog/analyzing-network-infrastructure-as-composite-o bjects/) ● Open IOC: Back To The Basics, Will Gibb & Devon Kerr (https://www.mandiant.com/resources/blog/openioc-basics) ● Misunderstanding Indicators Of Compromise, Dave Dittrich & Katherine Carpenter (https://threatpost.com/misunderstanding-indicators-of-compromise/117560/) ● Formulating A Robust Pivoting Methodology, Joe Slowik (https://www.domaintools.com/wp-content/uploads/formulating-a-robust-pivoting-methodology.p df) ● Thrunting Grounds, Amitai Cohen (https://amitaico.substack.com/p/thrunting-grounds)
- 86. © Huntress Labs. All rights reserved Slides! 86