Recently we had an issue where we had a piece of malware that appeared on a couple of PCs and we were concerned that it may try to spread to other machines. After going through our incident response procedures a question was posed to me about using IEM as a warning sign for an indication of compromise (IOC). I’ve been working with the tool for many years and while the tool obviously has the ability to detect IOCs, I haven’t seen much in the way of capitalizing on that.
My question behind this amusing anecdote is… why not? It’s understandable that updating content with the flow of known malicious content doesn’t seem like the style this tool brings but if there is content to check for known vulnerabilities in Flash, Java, and Windows OS via versions of, why not include a site that has a list of known IOCs that people may be able to use for incident response and, if not to take action using IEM, at least have the ability to create an alert if an IOC is ever relevant? It may be as simple as “Other tools do it better” but if the idea is you want your “single pane of glass”, IOCs would be another facet of that.
Very true and in fact, with our movement into the Security Business Unit, the focus is shifting more and more in improving our support of security scenarios, being IOC evaluation one of them.
I’ve recently published a blog on dW (http://ow.ly/QOC3Y) that touches on our new focus, the assets offered at the moment and points to a new whitepaper that provides a few hints and tips on how to leverage BigFix for IOC evaluation.
I definitely have used many of the Analyses I have created and put on BigFix.me to look for indications of compromise. (IoC)
An example that I don’t think I have an Analysis for at the moment would be to look at all the startup items of all systems, then use session relevance to flag any that are unusual.
I have also created one off analyses to look for signs of a specific new malware and where it likes to put it’s hooks into the system.
I do think that relevance alone is not the right tool for all IoC purposes, and in those cases it makes sense to run an action through BigFix either periodically or when needed to dig deeper into a possible infection.
There is an open source tool for the Mac called OSXCollector that can be run easily through a BigFix task to collect all of the info you might want to examine on a system, and then some analysis tools to automatically flag potentially bad items. This is a way to do initial investigation, and then once you find your specific signs of malware, you could then turn that into relevance to detect it across the fleet easily.
I am a proponent of BigFix being the tool to manage other tools when needed.
For Windows, we are looking at the possibility of running all on-demand virus scanners that are free for commercial use using BigFix actions whenever a system is suspected of having a compromise, or perhaps on a once a month interval.
A very valid tool for malware detection is YARA (http://plusvic.github.io/yara/). It’s integration in BigFix is very straightforward and it is also mentioned in the whitepaper.