Which indicator of compromise (ioc) standard is a method of information sharing developed by mitre?

STIX and TAXII are standards developed in an effort to improve the prevention and mitigation of cyber-attacks. STIX states the “what” of threat intelligence, while TAXII defines “how” that information is relayed. Unlike previous methods of sharing, STIX and TAXII are machine-readable and therefore easily automated.

STIX/TAXII aims to improve security measures in a few ways:

• Extend the capabilities of current threat intelligence sharing
• Balance response with proactive detection
• Encourage a holistic approach to threat intelligence

The establishment of STIX/TAXII is an open, community-driven effort that provides free specifications to aid in the automated expression of cyber threat information. Both possess an active community of developers and analysts.

STIX, short for Structured Threat Information eXpression, is a standardized language developed by MITRE and the OASIS Cyber Threat Intelligence (CTI) Technical Committee for describing cyber threat information. It has been adopted as an international standard by various intelligence sharing communities and organizations. It is designed to be shared via TAXII but can be shared by other means. STIX is structured so that users can describe threat:

• Motivations
• Abilities
• Capabilities
• Response

TAXII, short for Trusted Automated eXchange of Intelligence Information, defines how cyber threat information can be shared via services and message exchanges. It is designed specifically to support STIX information, which it does by defining an API that aligns with common sharing models. The three principal models for TAXII include:

1. Hub and spoke – one repository of information
2. Source/subscriber – one single source of information
3. Peer-to-peer – multiple groups share information

TAXII defines four services. Users can select and implement as many as they require, and combine them for different sharing models.

1. Discovery – a way to learn what services an entity supports and how to interact with them
2. Collection Management – a way to learn about and request subscriptions to data collections
3. Inbox – a way to receive content (push messaging)
4. Poll – a way to request content (pull messaging)

STIX/TAXII supports a variety of use cases regarding cyber threat management. STIX/TAXII has been widely adopted by governments and Information Sharing and Analysis Centers (ISACs), which range in focus from industry to geolocation.

Organizations can push and pull information into categories. For example, if one industry experiences a targeted phishing attack, they can share that information within the phishing category of the ISAC. Other organizations can automatically ingest that intelligence and bolster their own defenses.

Organizations with a TAXII client can push and pull information into the TAXII servers of trusted sharing groups. Some organizations may have access to private groups within these ISACs that provide more detailed information.

An Indicator of Compromise (IOC) is a piece of digital forensics that suggests that an endpoint or network may have been breached. Just as with physical evidence, these digital clues help information security professionals identify malicious activity or security threats, such as data breaches, insider threats or malware attacks.

Investigators can gather indicators of compromise manually after noticing suspicious activity or automatically as part of the organization’s cybersecurity monitoring capabilities. This information can be used to help mitigate an in-progress attack or remediate an existing security incident, as well as create “smarter” tools that can detect and quarantine suspicious files in the future.

Unfortunately, IOC monitoring is reactive in nature, which means that if an organization finds an indicator, it is almost certain that they have already been compromised. That said, if the event is in-progress, the quick detection of an IOC could help contain attacks earlier in the attack lifecycle, thus limiting their impact to the business.

As cyber criminals become more sophisticated, indicators of compromise have become more difficult to detect. The most common IOCs—such as an md5 hash, C2 domain or hardcoded IP address, registry key and filename—are constantly changing, which makes detection more difficult.

How to Identify Indicators of Compromise

When an organization is an attack target or victim, the cybercriminal will leave traces of their activity in the system and log files. The threat hunting team will gather this digital forensic data from these files and systems to determine if a security threat or data breach has occurred or is in-process.

Identifying IOCs is a job handled almost exclusively by trained infosec professionals. Often these individuals leverage advanced technology to scan and analyze tremendous amounts of network traffic, as well as isolate suspicious activity.

The most effective cybersecurity strategies blend human resources with advanced technological solutions, such as AI, ML and other forms of intelligent automation to better detect anomalous activity and increase response and remediation time.

Why Your Organization Should Monitor for Indicators of Compromise

The ability to detect indicators of compromise is a crucial element of every comprehensive cybersecurity strategy. IOCs can help improve detection accuracy and speed, as well as remediation times. Generally speaking, the earlier an organization can detect an attack, the less impact it will have on the business and the easier it will be to resolve.

IOCs, especially those that are recurring, provide the organization with a window into the techniques and methodologies of their attackers. As such, organizations can incorporate these insights into their security tooling, incident response capabilities and cybersecurity policies to prevent future events.

Examples of Indicators of Compromise

What are the warning signs that the security team is looking for when investigating cyber threats and attacks? Some indicators of compromise include:

• Unusual inbound and outbound network traffic
• Geographic irregularities, such as traffic from countries or locations where the organization does not have a presence
• Unknown applications within the system
• Unusual activity from administrator or privileged accounts, including requests for additional permissions
• An uptick in incorrect log-ins or access requests that may indicate brute force attacks
• Anomalous activity, such as an increase in database read volume
• Large numbers of requests for the same file
• Suspicious registry or system file changes
• Unusual Domain Name Servers (DNS) requests and registry configurations
• Unauthorized settings changes, including mobile device profiles
• Large amounts of compressed files or data bundles in incorrect or unexplained locations

The Difference Between Indicator of Compromises (IoCs) and Indicators of Attack (IoAs)

An Indicator of Attack (IOA) is related to an IOC in that it is a digital artifact that helps the infosec team evaluate a breach or security event. However, unlike IOCs, IOAs are active in nature and focus on identifying a cyber attack that is in process. They also explore the identity and motivation of the threat actor, whereas an IOC only helps the organization understand the events that took place.