Three Ways Indicators of Compromise Help SOC Teams
Threat Intelligence plays a major role in the modern Security Operations Center (SOC). This threat data can help analysts to detect security incidents earlier, take more informed actions, and implement security controls to defend against known threats.
Threat Intelligence includes context about threat actors, their intentions and their methods. It also includes Indicators of Compromise (IOC’s), which include IP addresses, domain names, URLs, file hashes, and more, that are known to be malicious. If one of these blacklisted items shows up in your event logs, it’s a good indicator that your network has been compromised.
There are three broad categories where IOC’s are useful to SOC personnel. The first is detecting threats by analyzing logs for any sign of an IOC. Important logs include:
- Inbound firewall connections to detect recon activity
- Outbound firewall connections to detect malware calling home to command and control servers
- Web proxy logs to detect malicious sites spreading malware
- Network flow data to detect data exfiltration or unusual activity
The second use of IOCs is to triage and prioritize alerts from “noisy” tools like IDS/IPS, SIEM and UEBA. These security tools have to potential to create a large number of alerts that can overwhelm a SOC without the right processes in place. SOC team makes extensive use of threat intelligence to prioritize alerts and investigate potential security incidents before raising the alarm with our security monitoring clients. IOC’s help security analysts focus on the most important alerts first.
And finally, IOCs provide a building block for continuous security improvements. Once you find an IOC in your environment, there are a number of sources (both commercial and open-source) that provide additional info on the threat. Understanding the attacker and their modus operandi allows the SOC to take proactive hardening steps, like blocking certain ports and services or updating IDS signatures. For example, a blacklisted IP detected in your logs is associated with a crypto-miner exploiting a vulnerability in Oracle servers. If you have the vulnerable software in question, now would be a good time to proactively remediate CVE-2017-10271.
Feel free to contact E-SPIN for the solution for your system and operation to reduce risk of your businesses and organization. We can secure and protect your businesses with our various software security technology include indicators of compromise technologies and solutions.