IoC Repository – Is it worth it?

Security Ops

When it comes to Security Operations, and particularly on the defensive size, there is a lot of data to deal with. Security tool alerts, telemetry data, information on tool health…it can quickly become overwhelming. Especially for smaller security teams, investing a lot of time and money in tools like threat intel feeds, paid-for sandboxes, and repositories for indicators of compromise (IoCs) does not provide much value.

As a security team gets more mature, though, there comes a time to revisit the value that some of these tools can bring. In particular, an IoC repository can be very valuable once you have moved from focusing on blocking to more in-depth situational awareness of your environment. Being able to analyze, track, and draw connections between malware samples or campaigns are all benefits that an IoC repository can bring.

At Code42, as we have matured our security organization, we decided that adding an IoC repository to our arsenal of tools could make sense. In the past, we very deliberately did not use such a tool because we instead wanted to focus on activities that we believed added more value more quickly. As we crossed things off of our to-do list and improved our maturity, however, we realized that we were at the point where such a tool could be useful. The following benefits were key to helping us decide to implement such a tool:

  • Automation Integrations: Code42 has been moving towards security automation for quite some time now, and one major benefit of security automation is metadata enrichment. In this particular case, an IoC repository, when implemented, can tell us whether a new alert relates to something we have already seen in our environment before. In the other direction, with automation we can easily put data from security events back into our IoC repository with tagging and metadata to make it useful for future events.
  • Improved Situational Awareness: When standing up a security program, first and foremost the goal should be to identify and stop bad activities from happening. As a team gets better at identification and remediation, there are opportunities to start broadening your view and gather additional information about threats in your environment. Being able to search against a repository to gather information you have already captured about similar threats improves situational awareness and can help with remediation.
  • Shift Left: Adversary TTPs (Tactics, Techniques, and Procedures) frequently change, and the threats that were most prevalent even six months ago may be long gone today, replaced by new threat vectors. By analyzing trends in the IoCs that your tools are seeing, you can prioritize your prevention strategies and begin to shift left in the kill chain, stopping threats sooner.

There are several open-source IoC repositories available, with two of the most popular being MISP (formerly known as Malware Information Sharing Platform) and CRITs (Collaborative Research Into Threats). As both names indicate, these tools are focused on allowing teams to collaborate and share typical IoCs such as samples, domains, PCAPs, emails, and other typical data types, with MISP providing an easy way to share this data externally as well. Both tools also support add-on services that can enrich any data added to them, such as running a VirusTotal scan against any MD5/SHA256 hashes that are added to the platform, or sending a sample to Cuckoo Sandbox for anlaysis.

Having used CRITs in the past, we decided to leverage it for our IoC repository internally. The services are easily extendable, it has a simple API, and even core functionality is easy to understand and change since it is based on Django and MongoDB. MISP is more actively developed at this time and does have superb sharing capabilities, so you really can’t go wrong with either tool.

Since we’ve implemented CRITs, we’ve begun sending executables detected in our environment for analysis and categorization, as well as better tracking our own internal Red Team tools so we can more quickly identify if an alert matches previously-detected patterns of activity. Our next tasks are to start ingesting data from other tools to provide more trend analysis, as well as to see if there is any value in tracking campaigns like persistent phishers. As with any tool, we are constantly evaluating its utility, along with the signal-to-noise ratio, as all security teams have a finite amount of time to do analysis.

Going forward, we will be sharing how we use this tool in our toolkit here, so check back frequently for updates!