With ransomware and cyber-attack chaos these days, we find ourselves focusing on the rapid appearance of new and upcoming threats. Every day is a day of new threats, new attack headlines, and new worries. But, it’s important to keep in mind that with so many new attacks come so many researchers and organizations whose goal is to collect and update as much information as possible regarding these new threats. Security service providers, researchers, and security communities collect and publish a plethora of updated, actionable threat intelligence at every given moment. The big question is – how to make all that extremely useful (yet extremely scattered) intelligence actionable, and how to automatically integrate it on to your security solutions and devices.
Most cybercriminal infrastructure is built on “less-legitimate” areas of the internet – IPs that are already hosting other malware, and oftentimes are not hosting many legitimate websites (if at all). These IPs are known to be bad, and threat intelligence platforms and providers are constantly publishing and updating their “bad IP” lists. In addition – most victims, statistically, are not going to be one of the first to be infected by a new strain of malware, or a new attack vector. The chance of you being one of the first hundred, thousand, or even ten thousand victims of a new attack are oftentimes quite small. Many attacks reach the hundreds and even millions of victims. So what happens between that moment when the first victim is attacked, and that moment that the malware tries to infect your device?
Once the attack information becomes known – it becomes threat intelligence.
Using IOCs to Block Threats
An indicator of compromise (IOC) is a piece of forensics data that indicates potentially malicious activity on a host system or network. IOCs such as IP addresses, domains, MD5 hashes, or filenames, give important insight in to the type of attack and its impact on the system. More so, indicators that can be fed into security devices and systems such as firewalls can provide actionable protection from known threats. IPs can be used in classic firewalls, and domains can be blocked via a DNS firewall. Once an indicator of compromise becomes known, and has been analyzed by a threat intelligence provider, they will usually decide its type, reputation and confidence level, and then add it to a relevant reputation-based blocklist. The internet is scattered with hundreds of threat intelligence sources, each with their own focus, format, and false positive levels. Using a solution that aggregates and continuously updates these blocklists into your network or endpoint security lets you block attacks right as they are happening.
Blocking Threats - Both Ways
When we imagine malware being blocked, we usually imagine a malicious file trying to install itself on to our computer, only to be barred from entry by our firewall. What’s less common to imagine is blocking malware that has already infiltrated a system. While inbound threat blocking using updated, quality IOCs is a great first line of protection that drastically reduces the chance of being infected, no security solution is ever able to block every single malware and attack. Even if malware has successfully evaded detection and made its way in to your network, there is still a way to retain it from unleashing its damage. Most malware operations rely on C2 (Command and Control) servers to do just as the server names suggest – send commands to the malware so that it knows what to do once it has successfully installed itself, and control its actions and the information which it sends back to the servers. The C2 servers are the brain behind the operation, and they act as the data collectors. Therefore, malware will not run if it is unable to reach its C2 servers, and will not be able to exfiltrate. Blocking outbound malicious traffic, such as the IP of a known malicious C2 server, will block most malware from carrying out the attackers’ evil plans, even if they have already infected your device. In addition, outbound blocking can help you uncover attacks or suspicious communications from inside your network. That is why it is extremely important to block malicious IOCs both ways – inbound and outbound.
So if you’re even slightly convinced by this point that using threat intelligence sources to block malicious IOCs is a good idea, you can find our recommendations on how to do so below.
To successfully implement proactive threat blocking using IOCs, make sure that your intelligence-based security solution does the following:
- Aggregates and analyzes various high-quality threat intelligence sources, to create comprehensive protection from all types of attacks.
- Automates threat blocking by continuously enriching and pushing IOC blocklists to your security devices.
- Blocks both inbound and outbound suspicious activity.
- Uses parameters such as confidence levels and tailored whitelists to fine tune each blocklist and minimize false positives.
- Offers policy customization so you can know and choose which type of activity you want to block.
- Updates blocklists quickly on the endpoint devices.