Skip to main content Skip to Footer

BLOG


November 14, 2018
Operationalizing Threat Intelligence: Apply Indicators of Compromise to Hunt, Detect, Quarantine, Block and Alert
By: Josh Ray

Since iDefense became part of Accenture we have had unparalleled access to subject matter experts, former CISO’s, seasoned security operations specialists, incident response veterans, and risk management experts. We are proud to call these fine folks Accenture colleagues. As we continue to learn from their experience in the trenches, it’s time for us to share the wealth and allow you to learn and grow with us.

Producing and consuming threat intelligence is easier said than done. It’s easy to say: “Here’s data, go use it.” However, even the most mature security teams and programs don’t always know how to apply different types of Indicators of Compromise (IoCs). Let us show you how some of the leading threat intelligence teams, security operations teams, and incident responders use our indicators either manually or ingesting them directly into their security products via our Threat Indicators API for detection, blocking, and alerting. We hope you find this information helpful. If you need support on operationalizing your threat intelligence, we are always here to help.

Operation: Threat Hunting
Indicator Type Relevant Tool or Technology
File Hashes (md5, sha1, sha256)
  • Hunt with endpoint agent
Fuzzy hash
  • Hunt with special agent or script to detect


Operation: Detect and Quarantine
Indicator Type Relevant Tool or Technology
File Hashes (Nefarious, Phish or Weaponized) md5, sha1, sha256
  • Mail gateway to quarantine

  • Next-gen FW, proxy or other network monitoring tools to detect on the wire during download

  • Search for hash in SIEM to detect
Domain Name
  • Search for domain name in SIEM to detect

  • Add Domain name to DNS policy zones (RPZ) or host files to sinkhole and/or walled garden
IP Address
  • Add to mail gateway to quarantine/spam-filter for known bad mail relays

  • Search for in SIEM to detect

  • Add to firewalls or IDS to detect suspicious/malicious communication
URL
  • Search for in SIEM to detect

  • Add to Proxy to intercept/filter

  • Add to networking monitors to detect
Email Address (Nefarious or Phish)
  • Search for email address in mail servers to detect

  • Add special rule for email to re-direct or prepend alerts to email subject lines to warn users (i.e., [SUSPICIOUS], [SPOOF], [ALERT])
Phishing Email Subject
  • Add subject to mail gateway to detect

  • Search for subject in mail servers to detect
Phishing X-mailer
  • Add to mail gateway to detect

  • Search for X-header in mail servers to detect
CPE
  • Search for vulnerable CPE in environment using vulnerability scanning solution or asset management/inventory solution to detect

Operation: Block and Alert
Indicator Type Relevant Tool or Technology
Detection Signatures & CVEs
  • YARA: Add this signature to your sandbox or endpoint security solutions to block/alert

  • Snort: Add this signature to your IDS/IPS to block/alert
File Hashes (Nefarious, Phish or Weaponized) Including CVE, md5, sha1, and sha256
  • Add to next generation firewall to block/alert

  • Add to meta/NetFlow analyzer to alert

  • Add to sandboxes to block/alert

  • Add to endpoint security solutions to deny download or execution
  • Add to OS policy to block
Domain Name
  • Add to proxy category to block/alert

  • Add to DNS RPZ to block/alert

  • Add to meta/net-flow analyzer to alert

  • Add to firewall to block

  • Add to IDS/IPS to block/alert

  • Add to OS to block

  • Add to sandbox to block/alert

  • Add to mail gateway to block/alert
IP Address
  • Add to proxy interceptions to block/alert

  • Add to firewall to block

  • Add to web application firewall to block/alert

  • Add to IDS/IPS to block/alert

  • Add to meta/NetFlow analyzer to alert

  • Add to sandbox to block/alert

  • Add to endpoint security solution to block

  • Add to host based firewall to block/alert
URL (Nefarious or Phish)
  • Add to proxy category to block/alert

  • Add to IDS/IPS to block/alert

  • Add to meta/NetFlow analyzer to alert

  • Add to next generation firewall to block/alert

  • Add to sandbox to block/alert

  • Add to endpoint security solution to block

  • Search for in SIEM to detect
Email Address (Nefarious or Phish)
  • Add to mail gateway blacklist to block
Phishing Email Subject
  • Add subject to mail gateway to block/alert


Accenture

Accenture is a leading global professional services company, providing a broad range of services and solutions in strategy, consulting, digital, technology and operations. Combining unmatched experience and specialized skills across more than 40 industries and all business functions—underpinned by the world’s largest delivery network—Accenture works at the intersection of business and technology to help clients improve their performance and create sustainable value for their stakeholders. With more than 442,000 people serving clients in more than 120 countries, Accenture drives innovation to improve the way the world works and lives. Visit us at www.accenture.com.

Accenture Security helps organizations build resilience from the inside out, so they can confidently focus on innovation and growth. Leveraging its global network of cybersecurity labs, deep industry understanding across client value chains and services that span the security lifecycle, Accenture protects organizations’ valuable assets, end-to-end. With services that include strategy and risk management, cyber defense, digital identity, application security and managed security, Accenture enables businesses around the world to defend against known sophisticated threats, and the unknown. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Copyright © 2018 Accenture. All rights reserved. Accenture, its logo, and High Performance. Delivered. are trademarks of Accenture.

This document is produced by consultants at Accenture as general guidance. It is not intended to provide specific advice on your circumstances. If you require advice or further details on any matters referred to, please contact your Accenture representative.

Popular Tags

    More blogs on this topic

      Archive