Security and Integrity Analysis Using Indicators

Computer systems today are under constant attack by adversaries that are looking for opportunistic ways to gain access and exfiltrate data, cause disruption or chaos, or leverage the computer for their own use. Whatever the motives are, these attacks typically occur not just against one device but a series of computer systems that relate in some manner (i.e. banking systems). Being able to understand the attackers tactics, techniques, or procedures (TTP) and reuse the knowledge against other systems becomes critical to help detect the attackers movement, where they may have conducted other security breaches, and to help play catch-up and close down the attacker from persistent threat. Using Indicators as a way to define components of the various TTPs can act as a tool to help share intelligence. A simulation was conducted demonstrating the indicator lifecycle in which a malware binary was created to perform a https command and control (C2). Using this simulation, it was possible to demonstrate how indicators were produced and defined after system analysis as well as how they could be consumed on other systems searching for the same TTP.