IOC analysis refers to the process of investigating artifacts gathered on endpoint protection software, IDS, SIEM or the likes, often through comparison with proprietary or community Threat intelligence databases, to determine whether or not they reveal a compromise of systems or networks.
Today, we’re going to see how SecOps teams can automate IOC analysis with Pulsedive. Doing this, we’ll see how we can orchestrate 2 tools. This is a Flow that can be easily tweaked to be triggered through a chatbot, as we showed with Microsoft Teams and collecting the results of the analysis on Teams as well.
What is IOC analysis?
Indicators of Compromise (IOC) are specific pieces of forensic evidence that can be used to detect and identify compromises, assess their scope prevent and respond to cyber-attacks on a system or network to understand the tactics, techniques, and procedures (TTPs) used by an attacker.
You have several types of IOCs: file-based (hash values, files paths, files names and sizes), network-based (IP, domains, URL), registry-based (keys, values, data added or modified), and memory-based (strings, patterns, sequences of bytes).
In short bullet points, IOC analysis enables security professionals to:
- Identify and respond to threats
- Understand the scope of an incident (is the IOC part of a larger attack)
- Determine the methods used by an attacker (where are they on the kill chain, what are their next moves)
- Evaluate the potential impact of an attack
- Develop a remediation plan
- Take appropriate action to contain and mitigate the risk of future attacks
IOC analysis is part of a broader field of analyzing adversary activities that typically gathers multiple activities. You first have the more passive IOC analysis, like confirming the maliciousness of an artifact flagged in your SIEM through a query on an internal or external threat intelligence platform. Roughly put, it pops up, and you confirm it and remediate it.
It can also be more active by conducting threat hunting missions where SecOps teams aggregate newly released IOCs and look into your systems and networks for similar potential IOCs. A new IOC used by an APT is released on your favorite Threat intelligence feed. You collect it and start the internal investigation.
Finally, you have the more advanced work on TTPs, where SecOps folks have to think as the attacker to decipher potential weak signals in your systems and networks. This last one is the most challenging, where you want your people to focus more on since it is not an easy task to automate, as it requires cognition.
All in all, mastering these processes helps SecOps teams respond to threats quicker, more effectively, and efficiently. In the following section, we’ll see how we can dramatically accelerate the process of passive IOC analysis. Soon, we’ll show you how to automate the active IOC analysis, i.e., threat hunting, through Mindflow.
Automating IOC analysis through Pulsedive’s API
There are lots of tools to perform IOC analysis on the web. One of the most commonly used is Pulsedive. Querying found IOCs into Pulsedive is relatively easy, but as this step can be reproduced tens or hundreds of times a day for some companies, it rapidly devours time. Teams are thus looking to automate parts of IOC analysis.
Automating IOC analysis with PulseDive is a perfect use case. Pulsedive provides three API endpoints (info, explore, analyze) that allow users to automate the process of IOC analysis by manipulating the data in and out of the platform.
Through Mindflow, users can automate the following steps of IOC analysis by formulating automated requests to the desired APIs:
- Data collection: To keep this Flow nice and short, we made a trigger through a submitted form. If you’re using a SIEM or an EDR, this can be easily tweaked by directing notifications to the Flow by fetching the Flow’s webhook and C/C in your notification setup. New alerts will trigger the Flow leaving you the task of predetermining the extraction of the desired data to analyze
- Pushing the data to Pulsedive: the data extracted is then pushed to Pulsedive for analysis. In the event of multiple IOCs to analyze, you can set up a forEach loop to perform the analysis of every IOC submitted (bearing in mind the limitation of requests according to your plan on Pulsedive)
- If Pulsedive recognizes the submitted artifact as an IOC, push the results directly into the analyst’s mailbox (or push it back on Teams, Slack, or Google Chat through a bot, as we showed earlier)
- If no hits, you can choose to trigger a scan of the artifact and collect the results directly into the analyst’s inbox
- You then have everything coming into your mailbox or through your chat software formatted to ease its comprehension, leaving you the choice to initiate remediation.