Over the next few months, a few of my colleagues and I will be
touching on various topics related to Mandiant and computer
security. As part of this series, we are going to be talking about
how we got where we are today, how to make and use IOCs, and the
future of OpenIOC. This topic can’t be rolled into a single blog
post, so we have developed a brief syllabus to outline the topics
that we will be covering in the near future.

History of OpenIOC

In this post we’re going to
focus on the past state of threat intelligence sharing and how it
has evolved up to this point in the industry. We’ll specifically
focus on how we implemented OpenIOC at Mandiant as a way to codify
threat intelligence.

Back to the

What are indicators of compromise? What is an
OpenIOC? What goes into an IOC? How do you read these things? What
can you include in them? We will address all of these questions and

Investigating with Indicators of Compromise (IOCs)

this post, we will model an actual incident response and walk
through the creation of IOCs to detect malware (and attacker
activity) related to the incident presented. Multiple blog posts and
IOCs will come out of this exercise.

IOCs at Scale

So far, we will have touched on using Redline™
to deploy OpenIOC when investigating a single host. To deploy IOCs
across an enterprise, we use Mandiant
for Intelligent Response® (MIR
Briefly, we will show how we can use MIR to deploy the IOCs built in
the previous exercise across an enterprise scenario, expediting the
incident response process.

The Future of OpenIOC

What is next? OpenIOC was open
sourced in the fall of 2011, and it is time for an upgrade! With the
soft-launch of the draft OpenIOC 1.1 spec at Black Hat USA, we’ve
since released a draft of the OpenIOC 1.1 schema. We’ll discuss what
we changed and why, as well as some of the exciting possibilities
that this update makes possible.

Integrating OpenIOC 1.1 into tools

With the release of
the OpenIOC 1.1 draft, we also released a tool, ioc writer,
which can be used to create or modify OpenIOC 1.1 IOCs. We will
detail the capabilities of this library and how you could use it to
add OpenIOC support to your own applications. We will also discuss
the potential for using parameters to further define application
behavior that is not built into the OpenIOC schema itself.

have several goals for this series:

  • Introduce OpenIOC
    for people that are not already familiar with OpenIOC
  • Show how you can use OpenIOC to record artifacts identified
    during an investigation
  • Show how OpenIOC can be deployed
    to investigate a single host – or a whole enterprise
  • Discuss the future of OpenIOC & the upcoming
    specification, OpenIOC 1.1
  • Show how OpenIOC 1.1 support
    can be added to tools, and future capabilities of the

Stay tuned for our next post in the

By admin