An Indicator of Compromise (IoC) is a network artifact or behavior observed during a cyberattack. IoCs can be IP addresses, domain names, web URLs, and cryptographic hashes that help identify specific files.
When security analysts share IoCs, others can benefit from these findings to protect their networks and build knowledge about threat actors. After all, if you see the same IoC as somebody else, you may have been hit by the same attacker.
IoCs can be shared through threat intelligence feeds integrated into a Malware Information Sharing Platform (MISP). While this is very useful for XDR/EDR solutions, these feeds often lack context about the overall threat. Without appropriate context, an analyst can be almost sure that an artifact is malicious yet find it difficult to explain why.
Fortunately, many IoCs can be found within technical analyses and reports on threat actors or current cyberattacks and campaigns. Polaris, our threat intelligence platform, can collect these IoCs while tracking the campaign, incident, vulnerability, or threat actor they are associated with.
Whenever the IoCs need to be questioned for specific threats, this approach saves countless hours that would otherwise be spent searching for technical reports, finding all the IoCs, removing duplicates, and putting the data in a standard format. In Polaris, you just click the "Copy" button to have all IoCs in your clipboard categorized by type.
AI brings the context that matters for IoCs
Malware Information Sharing Platforms (MISP) help you collect indicators of compromise in a way that is optimal for automated detections. Ideally, your organization should implement tools for Extended Detection and Response (XDR) or Endpoint Detection and Response (EDR). By powering shared IoCs across these technologies, you can improve their capabilities and detect the early signs of an attack.
For IoCs to be useful for threat intelligence, however, they need to be contextualized and sourced.
When facing an incident, an analyst will want to check the observed IoCs to find similar cases. Attribution – that is, identifying the threat actor – is often a challenge. Still, it can be invaluable in deciding which assets need the most attention and discovering an intruder's path in the IT environment.
In this example, having faster access to relevant IoCs will significantly benefit the incident response effort, potentially accelerating the recovery from the incident and avoiding losses incurred by a prolonged disruption caused by the cyberattack.
Since Polaris correlates IoCs to threat actors, news articles, and technical reports, analysts can quickly get to the source of this information to find as many details as they require. The analyst still decides the depth of the research, but Polaris is continuously scanning thousands of sources to update the generated insights.
The data available from an MISP will not include this contextual information, as it is not required for XDR/EDR to detect and block threats. This doesn't mean that these solutions are infallible, of course – attackers don't always reuse the same artifacts for every target, so an EDR solution might only detect a single piece of the puzzle. Looking at the whole picture allows an analyst to discover much more – and an AI-powered data collection and analysis tool will make this much faster.
With AI-powered insights and collected IoCs, investigating the alert from the EDR/XDR tool will be much faster. This will allow a security analyst to quickly understand what type of attack or threat the artifacts are connected to and identify additional pieces of evidence that are not yet known.
Find the IoCs collected by Polaris
A Polaris Insight will indicate how many IoCs were found at the top, right below the summary.
The IoCs themselves are under the "Additional information" section at the bottom, where you can find a "Copy All" button.
If you need the IoCs in your clipboard, you can simply click the little "IoCs" icon below the Insight summary. All the information will be copied to your clipboard and can be pasted anywhere. The same operation can be done for CVEs and MITRE ATT&CK TTPs (Tactics, Techniques, and Procedures).
At the top, Insight indicates the threat actor associated with the cyberattack or campaign. When there are several threat actors, this might mean all of them use the same malware or technique, but the different names can also be aliases of the same group.
At the bottom, you can find a list of all the sources from which the information in the insight and the IoCs were pulled. This allows you to get a head start on your threat intelligence research.
If you need to search for specific IoCs, Polaris has an "Explore" tool and an "IoC:" search operator to find related insights.
By leveraging this data, preparing reports on threats and making data-driven decisions to mitigate risks is much easier. Investigating alerts from the many security solutions that might have been deployed is much faster. We know this has been an ongoing challenge for many security teams, so we built Polaris to speed up these tasks.
If you want to see this in action, you can try Polaris today.
Experts in creating relevant external cybersecurity content to make the internet a safer place.