Risk Management

Indicators of Compromise (IOC) and How Security Professionals use them to defend against threats

By Justin Robinson / June 27, 2021 June 27, 2021 / Open Source Intelligence, Risk Management, Vulnerabilities and Exploits / Leave a Comment

If you’ve been in a security field that involves incident response/threat hunting, you’ve probably heard of the term “indicator of compromise” (IOC). In computer forensics, an IOC is an artifact that can be observed on a network or a host that indicates, with a relatively high level of confidence, a computer intrusion.

Not all artifacts from a cyber event will be considered an IOC. Artifacts that are left during an attempted, but perhaps not successful, intrusion are known as precursors. While an IOC can help to identify an intrusion that may have already occurred, a precursor can help to identify when an intrusion may be in the process of occurring.

What Do We Consider An Indicator of Compromise?

Indicators of compromise can range from a simple string to a series of actions performed in a certain order. Here is a comprehensive list of examples of different types of IOCs.

IP Address
Domain Name
URL
Website Name
File Hash
User/Account Name
Service and Process Names
Registry Key, Path, and Value
Directory Path
Virus Signature
“Strings” within a file
DNS txt record abnormalities
Files referencing /etc
System API Call

While those pieces of data can be easily found using a variety of security tools, there are also a number of behaviours that may indicate an instrusion.

Unusual/Unaccounted for outbound traffic
Unusual/Unaccounted for traffic between client networks (subnets)
Privileged account anomalous usage
User account active from anomalous IPs
Excessive failed logins
Activity from unexpected geographic regions
Increased traffic to specific resource
Baseline changes in RDBMS activity
Change in web browsing requests / request habits
Well known port vs. application usage
Encryption should be used over normally encrypted ports
Unexplainable Registry and File system changes
Malformed, overy short, and anomalous DNS requests
Patching that didn’t follow the official Change Management schedule
Changes to mobile platforms
Unexplained file creation
Web Browsing spikes and anomalous traffic patterns during irregular times
Service changes
Anomalous account management activity
Anomalous firetransfers
Changes to file permissions
Changes outside of normal maintenance hours
Access to URLs outside of the Alexa Top 1 Million
High CPU usage

There are a number of other behaviours that I’m sure you can think of that may also be an indicator of compromise. One of the best sources for techniques that that can be used to build a larger list of behaviours is the Mitre ATT&CK Enterprise Techniques matrix.

How Is This Information Valuable to a Security Professional?

Security monitoring is not a perfect science and relies on security professionals to create, tune, and update the various security tools that are used to detect information security threats, including a tool known as the Security Information and Event Management (SIEM) system. A SIEM is a key tool for Security Operations teams that ingests, manipulates, and displays logs from various services and provides security professionals a perfect tool for investigating security incidents.

Security professionals in the monitoring and detection role can use an indicator of compromise to build alerts and detection content based on real-world events and detections. This is an essential part within any SOC program, and is a proactive approach to cyber defense. Using IOCs in your environment is also a reactive approach to cyber defense, but can help to identify threats in your environment that may have been missed initially. For example:

A security professional will take a list of IOCs related to a recent data breach performed by Darkside, and investigated by FireEye. FireEye, like many security companies, publish intelligence data for use by others.

The security professional will take that list and not only include those IOCs within existing detection content, but they'll also review historical logs for the aforementioned IOCs which can give the security team a limited amount of certainty that the environment wasn't previously impacted by a newly detectable threat.

IOC Standards

IOCs are a type of open source intelligence (OSINT) and are available from many sources in many formats. You may get something as simple as a list of IP Addresses, however, there has been some work over the years to create a standard way of creating, storing, and sharing indicators of compromise.

STIX (Structured Threat Information eXpression)
TAXII (Trusted Automated eXchange of Intelligence Information)

Essentially, both STIX and TAXI offer the same results; they just do it in different ways. STIX uses relationships between objects to build intelligence, while TAXII utilizes collections within a more standard client-server distribution model. Many SIEM tools can ingest both STIX and TAXII feeds for automated intelligence gathering and for updating IOC block lists.

Security Insights on The PEI Pass: From a Security Professional and Islander

By Justin Robinson / June 22, 2021 June 24, 2021 / Personal Cybersecurity, Risk Management, Web Application Security / Leave a Comment

We’re closer and closer to the end of Covid-19 restrictions and we’re heading to point in this pandemic that privacy and security experts have been fearing for quite some time. It was only a matter of time before Covid-19 vaccination became everyone’s answer for getting back to a normal(-ish) life. The challenge was always going to be in creating a process whereby everyone can provide evidence of vaccination, without breaching anyone’s right to privacy.

I was reading this article this morning on CBC, “Cybersecurity expert warns P.E.I. Pass website is ‘hotspot’ for hackers”, and was expecting to read something substantial about the security of the platform, and was honestly pretty disappointed. In my opinion, this article does nothing but erode more trust in our institutions. It lacks the details necessary for an article with such a title, and could stoke a decrease in use and trust of other online government platforms.

What Is The PEI Pass?

The PEI Pass is a document given by the Government of Prince Edward Island that verifies an individual has been either fully or partially vaccinated, plus an additional 21 days. If you have this document then you are not required to self-isolate for 14-days when entering P.E.I. The PEI Pass is available to almost anyone given they meet one of the 4 requirement categories. Each category has a different set of requirements including differing documentation needs. Categories:

Permanent P.E.I. residents
Permanent residents of N.S., N.B., N.L, or Magdalen Islands
Other Individuals who have been in an Atlantic province for a minimum of 14-consecutive days, not including Magdalen Islands.
Non-P.E.I. residents who came to P.E.I. through a Pre-Travel Approval and are currently in PEI

Security Vs Privacy

There are two different concepts being discussed here. Security and privacy are not the same thing. The privacy of the data may depend on factors that include, security.

Privacy Concerns

Although it’s easiest as a Permanent P.E.I. resident, all four requirement categories require you to upload documents or enter information that may not be relevant to the PEI Pass application.

As a Prince Edward Island resident, the government already knows this information about me, which is why they’ve made it easier by being able to lookup my records in the PEI COVID Immunization Registry. For me, I’m not concerned about uploading my driver’s license either, as the government has that too.

Non-permanent residents will be experiencing the most risk to privacy. Especially, with a data breach in P.E.I.’s not too distant past. Any time you give your information and data to an organization or government that didn’t previously have it, you’re increasing the risk of that information being stolen. That’s a risk calculation that you’ll need to make yourself.

Security Concerns

I wasn’t able to find any information on how the Government of Prince Edward Island is securing the transmission and the storage of information being supplied.

The PEI Pass application itself is protected by a valid SSL Certificate, which tells us that the data is being transmitted (data in transit) from your browser to the website server securely.

The unknowns don’t come into play until we attempt to identify what security controls are put into place to protect the data in storage (data at rest), nor do we know if the data is stored on the same server as the website. Unfortunately, outside of the privacy commissioner giving her go ahead, I can’t find any reports on it.

Conclusion

The PEI Pass application process asks not just for personal information, but also for personal documentation. This can lead to you releasing much more personal information then you may have wanted to. Photocopy your documents and use a dark marker to eliminate any information on them that isn’t relevant to the request. Then send the modified photocopy. The Government of Prince Edward Island provides a similar note on their website:

Will Applying To The PEI Pass Be a Risk To My Privacy?

Any time that you provide personal information to a third-party that didn’t have information before, you are compromising your privacy. Sometimes it’s good, sometimes it’s bad. That’s where laws like PIPEDA come in.

Will Applying To The PEI Pass Be a Risk To My Data Security?

Without knowing what security controls are in place, there is simply no way of knowing if applying for the PEI Pass will compromise your data security.

Is The PEI Pass Website a Hotspot for hackers?

No.

Personal Cybersecurity Tips and Resources

By Justin Robinson / June 18, 2021 June 18, 2021 / Personal Cybersecurity, Privacy, Risk Management / Leave a Comment

As infrastructure surrounding network connectivity improves, the number of Internet users will continue to increase. As of April, 2021, there is an estimated 4.27 billion of the 7.6 billion people in the world , who are using the internet. That’s more than 60% of the world population. Many users aren’t just using the internet at work, but they are also using it at home to keep connected with friends, use internet of things devices, and stream television and movies.

Cybersecurity starts with us, and there are simple things that we can do to get started on a path towards to a more cyber secure future.

Check Your Existing Accounts For Breaches

You probably use your email address or a pretty standard username or two when signing up for new accounts. This information may also assist you in finding out if your were a victim of a data breach.

‘;–have i been pwned?

The godfather of data breach reports, HaveIBeenPwned, allows you to search your email addresses and phone numbers to find out if either has appeared in a data breach. As of this writing the site has recorded over 11 billion “pwned” accounts.

DEHASHED

DEHASHED allows you to search multiple different fields including email and username in order to find compromised assets. DEHASHED acts as a search engine and is not an illegal data repository.

Have I Been Sold?

Inspired by HaveIBeenPwned, Have I Been Sold allows you to enter an email address and does a check to see if it was seen on any email sell lists. Have I Been Sold also allows you to receive notifications if they find it moving forward, as well as allows you to remove your data from their database.

BreachAlarm

BreachAlarm is another service that will allow you to check and monitor if any of your account passwords show up online allowing you to change your passwords before damage can be done.

Don’t Use Breached Passwords

“But, how can I know if the password that I’m using was found in a breach?” Great question! Various tools allow you to check whether a password was found in a data breach, without compromising the security of your passwords.

Pwned Passwords

Pwned Passwords stems from Troy Hunt’s tireless work with HaveIBeenPwned. Pwned Passwords is a gigantic database of over 600 million passwords found in real world data breaches. You simply enter a password and Pwned Passwords will tell you if it was exposed during a data breach.

Is that safe? Pwned Passwords uses a concept known as k-anonymity to only send the first 5-characters of an encrypted version of the password that you entered. In other words, the password that you enter isn’t even the same data that gets sent to the server. k-anonymity means that Pwned Passwords is only able to tell you that the password you entered matches any number of passwords it found, and is not a one-to-one lookup. You can read more about how Pwned Passwords uses k-anonymity, here.

Use a Password Management Tool and Never Reuse Passwords

I continue to preach password management as credential theft and password reuse is still far too common. Password management tools integrate with browsers and devices to help you create and store passwords, securely.

BitWarden is the only password manager that we recommend. It’s open source and is available on every platform, for both individuals and enterprises.

Use Multi-Factor Authentication

Authy (All)
Google Authenticator (Android and Apple iOS)
Microsoft Authenticator (Android and Apple iOS)
Duo Mobile App (Android and Apple iOS)

Use Antivirus and Firewall Protection

“What Antivirus should I use?”, “Which firewall do I need to download?”, “Do I need a hardware firewall?” Look, leave the tough stuff for the engineers. Both MacOS and Windows 10 have Antivirus protection and firewall software out-of-the-box. Instead of loading your devices with additional security software, you should educate yourself on how to be cybersafe.

Educate Yourself on Cyber Safety

Cybersecurity awareness and education isn’t always fun, but it doesn’t have to be boring. Here are some personal cybersecurity awareness links that will help you with better identifying threats, reminding you to perform regular security checks, and keep you in the know on the latest cybersecurity trends.

Knowing how, and where, to Report a cyber incident is important, too.

Relevant Articles

Telework Security Basics – NIST
Before You Connect a New Computer to the Internet – CISA
Protecting Portable Devices: Data Security – CISA
Understanding Firewalls for Home and Small Office Use – CISA
Understanding Patches and Software Updates – CISA
Evaluating Your Web Browser’s Security Settings – CISA

Keep Your Software Updated

Some of the biggest data breaches of our time have been due to unpatched software. When you your update software, computers, devices, and even apps you aren’t just getting cool new features and visuals, but you’re also usually getting security updates.

This website is hosted on WordPress, a commonly used Content Management System (CMS). According to the Sucuri 2019 Website Threat Research Report , just under half of WordPress websites were outdated at the time that the infection occurred.

Use a VPN When On Public Wi-Fi

It’s impossible to be certain whether the operators of a public Wi-Fi Hotspot are taking the necessary steps to protect your data from being stolen when using their services. You can, however, encrypt your communications using a Virtual Private Network (VPN) whenever you do connect to public Wi-Fi.

There are a lot of VPN providers available and we really can’t recommend one. However, here is a pretty regularly updated VPN Provider comparison Google Sheet that gives you information on 96 VPN providers including whether they log, limit traffic, what VPN technology they use, and even if they provide protections against a number of VPN attacks.

Review Your Accounts Regularly

Put it in your calendar right now. I’ll wait. All that you need to do is login to your accounts, verify your security settings, make sure MFA is enabled, and do a check of any third-party connections that exist when you use services like Google and Facebook to login to websites that are note Google or Facebook. Disconnect any services that you no longer use and bask in your account security.

Insider Threats and Reducing Risk

By Justin Robinson / June 17, 2021 June 17, 2021 / Risk Management, SMB Security / Leave a Comment

According to the 2020 Cost Of Insider Threats Global Report study presented by Ponemon Institute and sponsored by ObserveIT and Proofpoint, insider threat related incidents are averaging a 12-month cost of $11.45M for those organisations polled. You might be thinking that you’re just a small business and you know that known of your employees would be party to a cyber attack, you may want to reconsider.

What is an Insider Threat?

An insider threat isn’t just an employee who wishes to do damage to their company. An insider threat can also be defined as a careless employee, or contractor, as well as any form of credential theft. More generally, an insider threat is any threat that is performed by anyone associated with your organizations who may have inside information (non-public information) regarding your organization’s policies, security practices, data, systems, and even people.

Types Of Insider Threats’ ¹

An insider threat goes beyond intentionally taking advantage of access that was legitimately given. Insider threats are broken down into the following three categories:

Negligent Insiders	Malicious Insiders	Infiltrators
Current or former employees, contractors, or business partners who unknowingly or carelessly make errors, and disregard policies.	Current or former employees, contractors or business partners who knowingly disregard policies. and attempt to inflict harm to an organization using the information and access they have available to them.	External threat actors who obtain legitimate access to an organization.

Negligent and malicious insiders are more common than infiltrators, however, infiltrators are apt to do much more damage.

Reducing The Risk Of Insider Threats

Insider threats are a risk that your organization can reduce without necessarily spending additional money on security controls. The one commonality between the different categories of insider threats, is people. There are a number of administrative and technical security controls that you can implement today.

Employee Hiring/Termination and Awareness Procedures

Have appropriate employee screening during the hiring process for persons who handle sensitive or proprietary data, such as background and credit checks.
Processes and procedures for employee termination and offboarding including roles and responsibilities for those involved.
Raise awareness to the various types of insider threats to both new and tenured employees.

Access Control

Having an appropriate access control strategy documented and reviewed annually, is essential for any information security program, but can also reduce the risk of experiencing an insider threat.
Principle of Least Privilege states that each user should only have access to the accounts and services that they need to do their jobs, day-to-day.
Separation of Duties is an important concept that encourages the act of access separations based on duties. An example of this is a Desktop Support Analyst having two corporate accounts (joe.analyst & joe.analyst-admin), one account for standard use and the other for elevated/administrator needs.

Device Management

Policies and procedures for the appropriate use of company devices and BYOD devices.
Ensure that employee devices are keeping logs if audits are needed.
Endpoint monitoring or data loss prevention (DLP) technical controls can detect and prevent various insider threat actions.

Third-Party Risk Management

Third-party vendors, consultants and clients must not only follow any outlined security policies within your organization, but should also have policies and procedures of their own surrounding insider threats.

¹ https://en.wikipedia.org/wiki/Insider_threat

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.