Indicators of compromise (IoC) are artifacts observed on a network or in an operating system that indicate a computer intrusion.
Examples of IoCs include virus signatures, IP addresses, MD5 hashes of malware files or URLs or domain names of botnet command and control servers. High confidence IoCs can be used to detect attacks in intrusion detection systems and antivirus software.
The IT Security IOC service uses three scanner products:
- Thor performs a deep system analysis to reveal hidden attacker activity in log files, typical attacker tools, anomalies within the user accounts, sessions, error reports, dump files, network connections, and many other check items.
- Spark performs a big set of basic checks and in deep analysis of local log files and file system, with a sensitive auditor noticing files and behavior traces that common antivirus may have missed.
- Loki is a free and simple IOC scanner that includes a lot of the Thor webshell rules that even the best Antivirus engines fail to detect, as well as the hacktool rule set.
The IT Security team provides two value add services:
- Reporting - Information Security Analysts review and validate scans results, removing false positives and other anomalies, providing Systems Administrators with actionable information.
- Remediation Guidance - The IT Security Office will also assist units in interpreting the IOC scan results and provide guidance and best practices for remediating the affected system.
Service Level Commitments
The IT Security Office will provide campus units with the following service level commitments:
Reporting - Campus unit will report result to the IT Security Office as soon as possible for analysis.
- Initial analysis: 1 – 4 business days.
- Remediation Guidance: 5-7 business days
The IOC scanning service can be deployed using one of the following methods:
- USB drive (more of description of the method, rather than just the storage device?)
- Download via Asgard website hosted by IT Security
- Custom download via Box
Only available for campus departments via service request.
No, but it is highly recommended that the Nextron products be run with administrator rights. The detection rate is limited when the scanners do not have administrative rights.
Allow the scanner to install in their default location. Do not alter the installation path, as this will cause false positives and prolong the scanning process.
The output files (TXT, HTML, CSV) are generated in the working directory from which the scanner is executed. This means that if you start a scan from a network share while your current directory is “C:\”, all output files will be written to “C:\”.
Nextron scanners typically take between 1 and 12 hours. Approximately 90% of the scans finish after 4 hours. In rare cases scans can take longer than 12 hours because of large file systems or because of high CPU load caused by other processes on the system.
Nextron scanners already have very good default settings. The IT Security Office may recommend additional parameters in special circumstances.
The output files should be removed after the scan to avoid possible threat actors having access to the result. Also, leaving the results on a system may cause false positives in subsequent scans.
There is no cost to the units for the IOC scanning service.