Machine actionable indicators of compromise

IT departments are overwhelmed by an ever-increasing flood of Indicators of Compromise (IOC) detailing illicit activity that may occur on their networks and systems. The characterization of the threats involved varies with the source of the information and each notice requires human operators to sift through data as displayed on a Web page or in a PDF, update monitoring appliances and if detected, decide on appropriate remediation. There are initiatives to enable the IOC data to be exchanged in a common format. For example, STIX and OpenIOC, but this is only the first step in the workflow. Recently, Lawrence Livermore National Laboratory (LLNL) has led a team of researchers in the development of a system to describe the compromise in a way that it can be automatically detected if present AND include possible remediation for the exploit in the same machine-readable package. The first part of this paper details the industry ecosystem for Enterprise exploits: characterization in a standard and consistent manner, exchange of data between organizations and the limited scope of remediation. The next section of this paper describes the research being performed by LLNL and its partners to leverage the Enterprise exploit model within the ICS community. The research consists of three parts: (a) a representation of exploits to include information required for their detection on the target system, (b) a language to describe remediation specific for an exploit, and (c) processing algorithms to convert those generic proscriptions into actions for specific appliances. Finally, as this research is ongoing, this paper presents the plan of efforts going forward, the expected challenges yet to come, and some resulting items to be open-sourced for continued community involvement.