Indicators of Compromise (noun)
Rick Howard: The word is: Indicators of compromise.
Rick Howard: Spelled: Indicators as in signs of activity and of compromise, as in an intrusion.
Rick Howard: Definition: Digital evidence that a system or network has been breached.
Rick Howard: Example sentence: The indicators of compromise alerted the organization that an adversary was inside the network.
Rick Howard: Origin and context: In order to block bad guy activity or detect that a bad guy is in your network. Security practitioners have used the concept of indicators of compromise since the internet was young. Prior to 2010, they relied on technical lists of known bad guy things, like malicious IP addresses or URLs, MD5 hashes of known bad guy malicious code, and known bad guy domains, just to name a few.
Rick Howard: They were passive and had no connection to the sequence of steps that hackers have to take to be successful. They were just lists of odds and ends, big collections of digital artifacts to block and to watch out for, and were prone to false positives. These low resolution indicators are not bad per se but they are ephemeral and hackers can easily change them at the drop of a hat and do. By the time InfoSec teams deployed countermeasures, the bad guys had likely already changed their behavior.
Rick Howard: In 2013 Mitre released the first version of the Mitre ATT&CK framework that, among other things, expanded the original concept of the Lockheed Martin Kill Chain paper. They added TTPs, the tactics (the why), the techniques used (the how), and the specific implementation procedures the adversary group used to deploy the tactic. That intelligence is not as ephemeral, is tied to known adversary group behavior, and is conducive to designing impactful countermeasures. With these more useful TTPs, network defenders can forecast a confidence level of how likely their network has been compromised by a specific attack sequence. For example, according to Tidal, a company that operationalizes Mitre ATT&CK intelligence, the middle east hacker group called Molerats uses 17 TTPs in their adversary playbook.
Rick Howard: If network defender observe one of them, say forged Microsoft code-signing certificates in malware, then the chances that the hackers behind the Molerats attack sequence are quite low. Many hacker groups use that technique. It's only one indicator of compromise out of a possible 17. But if those same network defenders observe 15 of the 17 Molerat TTPs, then the chances are high that the hackers behind the Molerats attack sequence have compromised your network.
Rick Howard: Nerd reference: In the fabulous BBC retelling of the Sherlock Home story, Benedict Cumberbatch played Sherlock and Martin Freeman played a sidekick Dr. John Watson from 2010 to 2017. In this classic murder scene setting, Sherlock lays out all the indicators of compromise to a detective and to Watson about why the victim was murdered and didn't commit suicide. Mainly because he was left lefthanded and they found the bullet hole in the right temple.
TV Detective: We're obviously looking at a suicide.
Martin Freeman: It does seem the only explanation of all the facts.
Benedict Cumberbatch: Wrong, it's one possible explanation of some of the facts. You've got a solution that you like, but you are choosing to ignore anything you see that doesn't comply with it.
TV Detective: Like?
Benedict Cumberbatch: Wound was on the right side of his head.
TV Detective: And?
Benedict Cumberbatch: Vancoon was left handed. Requires quite a bit of contortion.
TV Detective: Left handed.
Benedict Cumberbatch: I'm amazing. Didn't notice? All you have to do is look around this flat. Coffee table on the left hand side, coffee mug handle, pointing to the left, power socket's officially used the ones on the left, pen and paper on the left hand side of the phone because you picked it up with his right and took down messages with his left. You want me to go on?
Martin Freeman: No, I think you've covered it.
Benedict Cumberbatch: I might as well, I'm almost at the bottom. There's a knife on the breadboard with butter on the right side of the blade because he used it with his left. It's highly unlikely that the left handed man would shoot himself in the right side of his head. Conclusion, someone broke in here and murdered him. Only explanation of all of the facts.
TV Detective: But the gun, I mean.
Benedict Cumberbatch: He was waiting for the killer. He'd been threatened.
Rick Howard: Word Notes is written by Tim Nodar, executive produced by Peter Kilpe and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.