top of page

IOC Usefulness and Lifespan continues to be reduced, API automation

As we continue providing information to managed security providers, companies and agencies, one thing is certain. The industry is behind the curve when it comes to protecting itself from attack. Most if not all of the vendors are still utilizing models the include the distribution of IOC data. One of the things we have been pushing for very hard is for the industry to stop relying on IOC's. As soon as vendors publish the IOC data it is a flag for threat actors to change tactics. It is nearly impossible for vendors to keep malicious actors from seeing or obtaining this information. Instead of using IOC's that can change (and do) frequently, the industry needs another solution.

Enter the Jigsaw Security Library

One of the things we have been doing is publishing libraries that detect things like exfiltration instead of focusing on the sources, destinations or domains being used. While we have to support IOC's in our systems because that's what customer are consuming, we hope that they will start moving to other means of detection. Our patterns in traffic and patterns in files module makes it extremely hard for adversaries to change their attack code without breaking their exploits.

In short we don't care about the source, destination, domain or individual attributes to make the determination if traffic is good or bad. The industry has handicapped itself by building products that rely on IOC data. At Jigsaw Security we have been migrating our detection strategy to detect the patterns in traffic and files and to specifically identify things that if changed would break the malware and cause the attack to fail. By concentrating on items that are difficult for an attacker to quickly modify, we effectively thwart their campaigns.

How to take advantage of the Jigsaw API

In the Jigsaw Security threat intelligence platform, we can request things like domains, hostnames, IP source and destinations, MD5 hashes, patterns in traffic and similar attributes. Because we are utilizing various products and services to protect our clients, we don't restrict our clients selection of tools. For instance, some of our clients utilize Checkpoint and some utilize Palo Alto firewalls, each product loads different types of files in different formats (blocklist) to protect or drop traffic. Using the JIgsaw Security API allows you to feed information into your forensics tools, firewalls, IDS/IPS sensor in a variety of formats.

To get an API key simply log into the threat intelligence platform and select Global Options, My Account. The API key is available for use. See the automation section to learn how to automate your network and security appliances and products. Some of our customers even load these list into their endpoint protection to stop malware from infecting their individual computers and devices. The options are endless. File types supported include XML, JSON, STIX, STIX2, CSV and text blocklist. You can request tagged items and build custom protection solutions based on the type of assets you are trying to protect.

A good example of this is the "EMAIL-VECTOR" tag. This tag points to indicators that are being used to attack user inboxes. By implementing blocklist on the email servers, these attachments, links and other malicious content can be scrubbed from emails. In fact some of the patterns provided will block entire families of malware easily by detecting how the malware works. For more information or help implementing these solutions, Jigsaw Security Professional Services can help you to come up with the right solution to fit your defense strategy.

The advantage to using the API is that it is always the most up to date information. Every day thousands of indicators and patterns are supplied in the Jigsaw Security library. As soon as we see an attack somewhere, we protect you proactively from that same attack across all of your infrastructure.

IOC Lifespan Decline

As mentioned earlier it is difficult if not impossible to keep attackers from detecting when you have taken a defensive action. As soon as IOC's are published it forces threat actors to change their tactics and techniques. Many threat intelligence providers concentrate on IOC's when they should be adopting methods of dropping patterns in files and in network traffic. Sending resets is an effective way to stop infections as they occur.

For mail servers, our RPZ sinkhole feature provides another last line of defense against malware and phishing attacks on mail inboxes by denying the computer access to locations where malware is hosted. Even if your end user clicks on that malware link, they remain safe.

While no single solution can keep everybody 100% safe, implementing smart automation can go a long way toward stopping threats from entering your network.

47 views0 comments
bottom of page