ThreatSTOP security analysts work around the clock to ensure our threat intelligence include the most relevant and critical indicators of compromise (IOCs). Their analysis and research ensures TS block these IOCs and by extension protect customers from the vast spectrum of cyber threats and related infrastructure. We've asked our analysts to share their favorite free analysis tools for every step of the threat analysis journey, as well as tips and analysis use cases on infamous malware variants. You can view all this awesome info in our Open Source Analysis Tools Infographic, or below in our more extensive blog series.
The first step in our IOC analysis journey is understanding IOCs in the first place - what they are, how to analyze them, and why everyone should be using them to block known threats. These pieces of data, oftentimes posted online for free on community platforms, are invaluable in making sure threats do not infiltrate your network in the first place. And even if they do - blocking traffic to C2 server IOCs will make sure that data exfiltration malware or ransomware on your machine can't send your sensitive data back home to the attackers.
Next, our analysts recommend their favorite threat exchanges for IOC sharing. These community platforms allow researchers to post and find IOCs as they run in to them in the wild, or find out about them on cybersecurity forums. That way, the community is constantly up to date with the latest suspicious and malicious IOCs. While these exchanges are a security analyst's goldmine, not enough use them to collect valuable IOCs for analysis and actionable protection.
After you have found some neat, valuable IOCs on these platforms, you should go ahead and analyze the threat infrastructure. Is the domain you have found malicious from the get-go, or is it a legitimate website that has been compromised? Is your newly found IP hosting any important domains that you do not want to block? Before confirming the IOC should be blocked, decide how long it should be blocked based on its nature, severity and risk levels.
So you've uncovered some shiny new IOCs that should definitely be blocked from communicating with your network? Congratulations! But one cool next step could bring much more value to your analysis - enrichments using analysis tools. While threat exchange posts and news articles offer a very good starting point for threat infrastructure protection, sometimes there are parts of the infrastructure that remain undiscovered. Using enrichment techniques, analysts can discover hidden parts of cyber attackers' threat infrastructure to further widen protection coverage from these threats. This can be as simple as starting out with one malicious IP and finding others on the same address space that also show malicious activity, or a more advanced domain relations analysis to find common registration and syntax patterns, adding additional new malicious domains to your blocklist.
Want to see which tools our analysts recommend for every step of this process? Check out ThreatSTOP's Free Open Source Analysis Tools, Tips and Use Cases blog series:
Part 1: Why Use IOCs?
Part 2: Threat Exchanges & IOC Sharing
Part 3: Analyzing Threat Infrastructure
Part 5: Emotet Banking Trojan Use Case
Part 7: APT10 Use Case
Prefer quick, one-page access to all of this awesome information? Check out our infographic.
Ready to try ThreatSTOP in your network? Want an expert-led demo to see how it works?