Introduction
OpenIOC establishes a standard for recording, defining and sharing information both internally and externally in a machine readable format [1].
OpenIOC allows a forensic investigator to describe IOC (Indicators of Compromise) in a format that is standardized and can be interpreted by other investigators of machines in a consistent manner. IOC are mainly artifacts of an intrusion that can be identified on a host or a network.
OpenIOC specifies a base format and is extensible to accommodate different types of IOC or ‘Indicators’. Mandiant currently supports over 500 types[5] of indicators that can be gathered in an enterprise. More indicators can be easily defined and added on the fly.
Querying
- OpenIOC supports simple and advanced queries on IOCs like
- Looking for a specific file hash
- Specific entry in Memory or Windows Registry
- Queries that apply across families of malware/authors/exploit etc.
- Ability to include whitelists that would allow investigators or collectors to compare with the whitelist to detect outliers.
- Combination of the above.
OpenIOC in Security
The preferred way of using this standard in a security lifecycle is to utilize OpenIOC to describe the attack methodology. In doing so, the emphasis is placed on highlighting the commonalities in the attack strategy than individual artifacts of compromise. [1]
A high level description of how OpenIOC fits into a security lifecycle is shown below:
As we see above, IOCs can be used to spread information about a compromise and its fingerprints to other devices to be able to identify similar signatures. The process is refined over time to reduce false positives.
There are 3 main attributes to writing a good IOC:
- Reduce False positives
- Must not be expensive to evaluate for the investigator or the machine to look for these fingerprints.
- Must be expensive for the attacker to evade the Indicators to carry out the attack. The attacker would have to change attack strategy, tools and processes significantly to evade previous attack methodology.
Example
Below is a screenshot for the Zues botnet [3] as described in OpenIOC using Mandiant’s OpenIOC Editor:
Sample IOC for Windows[4]
Resources
[1] OpenIOC WhitePaper, http://openioc.org/resources/An_Introduction_to_OpenIOC.pdf
[2] OpenIOC, http://www.openioc.org/
[3] OpenIOC spec for Zues, http://openioc.org/iocs/6d2a1b03-b216-4cd8-9a9e-8827af6ebf93.ioc
[4] Sample OpenIOC spec for Windows, http://openioc.org/iocs/c32ab7b5-49c8-40cc-8a12-ef5c3ba91311.ioc
[5] Supported Indicator Terms, http://openioc.org/terms/Current.iocterms