Understanding Indicators

Understanding Indicators
Towards An Information Security
Ontology
Joe Slowik

An Overview Of Indicators
A Digression On Language
Reimagining Indicators & Observations
Conclusions
Today’s Agenda

© Huntress Labs. All rights reserved
Indicators
4

What Is An Indicator?
5
Indicator
“Data
Point”
Sign Of
Event
Enables
Sharing

“Indicators”
6

“Indicators”
7

“Indicators”
8
“Indicator” Is An
Overloaded Concept!

“Indicators”
9
Overloaded Concept!
Many Terms Used
Interchangeably

“Indicators”
10
Overloaded Concept!
Many Terms Used
Interchangeably
Result Is Confusion In
Purpose, Meaning

“Indicators”
11

Indicators In A Perfect World
12

13
Understand The Purpose, Function, & Signiﬁcance Of A Given
Indicator, Why It Matters & When It Was Observed
Context

14
Context
Indicator Is Tightly Correlated To Adversary Activity, Resulting In
High-Conﬁdence Link To Malicious Behavior When Observed
Accuracy

15
Context
Indicator Is Tightly Correlated To Adversary Activity, Resulting In
High-Conﬁdence Link To Malicious Behavior When Observed
Accuracy
Indicator Enables Some Action Or Understanding To Take Place -
From A Simple Block/Alarm To Adversary Understanding
Applicability

16

The “Birth” Of An Indicator
17

The “Birth” Of An Indicator
18
Continuous Reﬁnement & Enrichment Is Necessary
To Go Beyond “Mere Data” To “Something Happened”
(Observable) To Something Of Interest Identiﬁed
(Indicator)

19
“Indicator” & “IOC” Are
Used Interchangeably
Time & Events

20
IOC Is A Sign Of Something
That HAPPENED
Time & Events

21
IOC Is A Sign Of Something
That HAPPENED
How Do We Refer To
Things Yet-To-Be?
Time & Events

Time & Events
22
Indicators Sourced OUTSIDE Of Or PRIOR TO An
Event Cannot Be Indicators Of (Known) Compromise -
So What Are These???

Time & Events
23
Indicators Sourced OUTSIDE Of Or PRIOR TO An
Event Cannot Be Indicators Of (Known) Compromise -
So What Are These???
No (Good) Answers - Yet?

Indicators In Reality
24
Lack Of Context
● Indicators Are Frequently Shared Absent Context!
● Minimal Enrichment & Metadata Provided To Disposition & Determine!
● Indicators Are Effectively “Raw Data”

25
Lack Of Context
● Indicators Are Frequently Shared Absent Context!
● Minimal Enrichment & Metadata Provided To Disposition & Determine!
● Indicators Are Effectively “Raw Data”
Limited Scope
● “Indicators” Are Provided “As Is”
● Diﬃcult To Extrapolate From Single Technical Artifact To Something More
● Purpose, Function, & Creation Observations Are Not Considered

26

27

28
Indicators Have Effectively Become Equivalent With
Raw Data - Sense Of Context & Enrichment Is Lost Or
Ignored

Indicators & Adversary Operations
29

30
Technical Indicators Are
SPECIFIC IDENTIFIERS

31
PARTICULAR Example Of
A GENERAL Behavior

32
PARTICULAR Example Of
A GENERAL Behavior
Focus On Indicators Ignores
What Gave Them Birth

Isn’t This All Nitpicking?
34

But…
35

The Importance Of Accurate Language
36

37
Language Deﬁnes How We Communicate &
Understand Concepts

38
Understand Concepts
Accurate Language & Its Use Facilitates
Follow-On Action & Comprehension

39
Understand Concepts
Accurate Language & Its Use Facilitates
Follow-On Action & Comprehension
We Need To Critically Examine How We
Describe Matters For Accuracy!

Outcomes Of Indifferent Language
40

41
Overlapping
Meanings &
Purposes As
Terms Collide

42
Overlapping
Meanings &
Purposes As
Terms Collide
Inhibits
Understanding,
Engenders
Confusion, &
Leads To Poor
Outcomes

43
Overlapping
Meanings &
Purposes As
Terms Collide
Inhibits
Understanding,
Engenders
Confusion, &
Leads To Poor
Outcomes
Improper,
Inaccurate
Language Use
Results In
Suboptimal
Results!

Deﬁning “Indicator”
44
The Word “Indicator” & Its Relatives May Appear
Inconsequential Save For Their Use - But Being
“Loose” With Details & Explanations Can Be
Dangerous!

Dangers Of Loose Language
45
Interpreting
Common Items
As Specific To
A Threat
Falsely
Identifying
Unique
Characteristics
Mis-Applying
Intelligence
Items To
Defense
Defending On
Lagging
Characteristics
Over
Confidence Based
On Specific
Observations

“Death Of The Indicator”
46

47

48

49

50
“Indicator” Has Become A “Bad Word” In Infosec &
CTI - But Maybe That’s Because We’ve Played
Fast-And-Loose With The IDEA Of An Indicator

Reimagining
Indicators &
Observations

52

53
Indicator

54
Indicator
Technical
Observable
Artifact Of
Compromise
Behavioral
Artifact

55
Indicator
Technical
Observable
Artifact Of
Compromise
Behavioral
Artifact
Communication
Object
Forensic
Item
Intelligence
Observable

One Indicator, Many Meanings
56

57
Indicators Have MANY
Applications

58
Applications
Multiple Applications
Lead To Multiple Views

59
Applications
Multiple Applications
Lead To Multiple Views
Application-Centric
Understanding Is Necessary!

Indicators Pre- & Post-Action
60

61
Indicators As
Technical
Observations
Of An Action
Or Event

62
Origins Of The
Technical
Observation &
Its Behavior
Indicators As
Technical
Observations
Of An Action
Or Event
Applications
Of The
Indicator &
Its Use

63
POST Observation Indicators Diversify Into Their
Applications & Use.
PRE Observation Characteristics Enable Researchers
To Identify Trends & Tendencies!

Creating Indicators, Revisited
64
Data Observation Indicator

65

66
Collection & Telemetry Provides Data

67
Data Is Reﬁned Into Observations That Can
Relate To Activity Of Interest

68
Data Is Reﬁned Into Observations That Can
Relate To Activity Of Interest
Analysis Of Observations & Incidents Ties
These To Activity - Producing Indicators

INDICATORS!!!
69
Indicators Are A Sign That “Something” Has Taken
Place - POST Observations Inform WHY Those
Actions Occurred - PRE Observations Tell Us HOW.
The Key To Cracking Indicators Is Breaking Them
Apart To Reveal More About HOW.

Indicators & Components
70
Malicious
File Object
File
Hash
ITW
Name
Compile
Info
Strings
Functions &
Actions
Meta-
Data

Indicators & Components
71
Network
Indicator
Registrar
TLD Or
Naming
Hosting
Provider
Name
Servers
SSL/TLS
Info
Hosting
Geo

Indicators As Composite Objects
72

73
Understanding Components
Reveals Indicator Complexity!

74
Composite Nature Of Indicators
Reveals Underlying Behaviors!

75
Composite Nature Of Indicators
Reveals Underlying Behaviors!
Enables Intelligence &
Forward-Looking Action!

76

Where Are We Now?
78
Conclusions
The Idea Of An “Indicator” Is A Surprisingly
Complex Topic!
Understanding WHAT They Are And HOW They
Are Created Is Vital!

Clarity In Language & Vision
79
Conclusions

80
Conclusions
Analysts Must
Understand
WHAT They’re
Communicating
& WHY

81
Conclusions
Analysts Must
Understand
WHAT They’re
Communicating
& WHY
Clarity In
Communication
SHOULD Lead
To Clearer
Results &
Action

82
Conclusions
Analysts Must
Understand
WHAT They’re
Communicating
& WHY
Clarity In
Communication
SHOULD Lead
To Clearer
Results &
Action
Focus On
What We
KNOW & How
To
Communicate
It To Others!

Toward A Recognized Ontology
83
Conclusions
Discipline Around “Indicator,” “Observable,”
“Data,” “IOC,” & Similar May Seem Pedantic.
But With Controlled Statements & Understanding
We Can Achieve Clearer, More Accurate
Communication - And Follow-On Action!

Selected Resources
85
● Analyzing Network Infrastructure As Composite Objects, Joe Slowik
(https://www.domaintools.com/resources/blog/analyzing-network-infrastructure-as-composite-o
bjects/)
● Open IOC: Back To The Basics, Will Gibb & Devon Kerr
(https://www.mandiant.com/resources/blog/openioc-basics)
● Misunderstanding Indicators Of Compromise, Dave Dittrich & Katherine Carpenter
(https://threatpost.com/misunderstanding-indicators-of-compromise/117560/)
● Formulating A Robust Pivoting Methodology, Joe Slowik
(https://www.domaintools.com/wp-content/uploads/formulating-a-robust-pivoting-methodology.p
df)
● Thrunting Grounds, Amitai Cohen (https://amitaico.substack.com/p/thrunting-grounds)

Slides!
86

Understanding Indicators

Recommended

Recommended

More Related Content

Similar to Understanding Indicators

Similar to Understanding Indicators (20)

More from Joe Slowik

More from Joe Slowik (10)

Recently uploaded

Recently uploaded (20)

Understanding Indicators