When we talk about risk management, prevention is the best strategy to try to avoid an impact on our assets. But prevent; It is a broad concept that consists of several mechanisms that, depending on the circumstances, could increase the costs of the organization in an unnecessary and ineffective way.
Investing resources disproportionately that try to cover all the assets of a company, will only generate inefficient and possibly duplicated processes with a trivial consumption of both personal, financial, and temporary resources.
For example; It is not the first time that poorly advised organizations have made investments in state-of-the-art equipment that was neither well configured nor up-to-date, or have delegated security tasks to low-skilled personnel with the consequent increase in risk.
Therefore, a risk management process that is executed incorrectly can make the mistake of implementing totally unnecessary controls or negatively unbalance the effectiveness of those that must be implemented; with the consequent increase in costs that would derive from its maintenance.
How can it therefore be prevented without incurring a disproportionate expense, achieving the greatest possible effectiveness? Obviously, there is no magic recipe, but if the scope and critical functions of the business are well defined, advice or qualified personnel are available; Controls are designed based on a risk analysis based on a proven methodology and a process is implemented to monitor the risks and to evaluate the controls confirming that they are really efficient; the residual risk would be minimized considerably and the potential impact within the organization could be located within a fairly delimited zone of control.
IOCs. Indicators of Compromise (IOC)
A prevention mechanism that is highly effective and whose cost is very acceptable for any organization is the use of Indicators of Compromise (IOC).
It is a standardized method based mainly on metalanguages and whose main purpose is the early identification and detection of threats related to security.
The effectiveness of the indicators of compromise is found in the possibility that the information they contain is updateable at any time and that it can be shared and exchanged in a very simple way with any interested person or group, such as those dedicated to the management of security incidents.
An Indicator of Compromise, describes us from malicious activity (including the elements that participate in it), to a security incident through behavior patterns and characteristics that can be parameterized and categorized.
This information contained in the IOCs, allows to share the behavior of an analyzed incident from its location until its last update. You can include as many variables and properties through attributes as we consider necessary for their description.
Therefore, we are dealing with an element that allows us to detect and identify threats to the security of the assets of any organization in advance.
It is at this point that the figure of the security professional, and especially of those who are dedicated to risk management, acquires an essential role since they will be responsible for preparing both the incident prevention plans and the strengthening of the systems. of security. To do this, you must understand the information flows of the critical business processes and the relevant stakeholders involved, thus identifying the assets to protect.
It is no longer a question of processing information in one format or another based on predefined variables and updating it as the incident changes or evolves; now it is about how to interpret the threat, the possible scope that it could have in the organization, in addition to contemplating the dependency between systems, business processes and critical information and the context in which a possible impact could occur. It is time to anticipate and propose possible solutions to business managers. Thanks to the detailed analysis of these indicators and the correct interpretation of risk by professionals, more than once, the presence of a potential threat has been detected in internal and trusted environments.This has made it possible to apply the necessary preventive measures to reduce the risk to a more than acceptable level.
In summary, the sharing of information through these indicators in coordination with all the interested areas of a corporation; it is an effective prevention method generating early alerts that help to proactively guarantee the detection and management of incidents, reinforcing the security levels of critical assets against existing threats.
Main IOCs Indicators of Compromise “Indicators of Compromise” (IOC).
There are a large number of Indicators of Compromise. Some make a description of unusual activities in a system or on a network, others can be based on evidence obtained from compromised computers. As an example, we can consider the modifications that have taken place in applications or in the entries of the registries, services or new processes, etc.
As can be highlighted more frequently, the unusual use of ports by applications, the detection of irregular traffic, the high number of requests for access to the same asset, an unjustified increase in queries to databases or anomalous activity in user accounts with privileges. There are more specific ones that require a much more technical profile for processing, such as the different virus signatures, hash lists associated with malware assets, sets of IPs detected in targeted attacks and in cases of botnets or ransomware, the domain names or URLs of command and control servers.
Implementation of IOCs
Today, several standardized systems for the exchange of Indicators of Engagement coexist. Almost all make use of the XML metalanguage containing the parameters that will define a possible compromise and the value assigned in terms of its probability of occurrence.
Among the best known are:
- OpenIOC (Open Indicators of Compromise) Oasis Cyber Threat Intelligence (CTI) Cybox (Cyber Observable eXpression) Maec (Malware Attribute Enumeration and Characterization)
There are also IOCs repositories such as IOC Bucket or Openioc Db; Free platforms where you can find indicators and relevant information about threats that are shared by a wide community of users with the sole purpose of giving it the best use for the protection of our systems.
For its deployment, there are platforms such as MISP or MANTIS in charge of the collection, storage and distribution of security indicators
conclusion
Prevention as an element of protection through IOCs, minimizes exposure over time to the detection and response to a possible security incident; both being critical factors in a risk management procedure.
The massive amount of information required for the detection of potential threats and the subsequent definition of actions and preventive, corrective or even recovery actions, require an automated procedure that makes the identification of incidents simple and agile. This need is satisfied with IOCs, by allowing an incident to be modeled, categorized according to different variables and associated with that specific incident.
The relative savings compared to the effects of an impact is significant and its maintenance and monitoring through the platforms described are very acceptable for any organization.
____________________
Iker Sala Simón
GRC Department
Áudea Information Security
