HackDig : Dig high-quality web security articles for hacker

Good IOC VS. Bad IOC: When Automation Fails…

2015-09-21 14:45

[The post Good IOC VS. Bad IOC: When Automation Fails… has been first published on /dev/random]

Good vs BadA few days ago, I wrote a diary on the SANS ISC website about automating the search for IOC’s (“Indicator of Compromise“). The use of tools to collect such information (IP addresses, domains, hashes, …) is very useful to build a list of interesting IOC’s … or not! Today, I wrote another diary about the recent threat that Apple faced with hundreds of malicious apps accepted on the AppStore (XCodeGhost).

A few hours later, a colleague at SANS ISC reported this:

IOC's

My diary contained a list of suspicious IP addresses. As you can see, the content was probably crawled by a bot and the useful data extracted. But my signature was also scanned and domain names were extracted (rootshell.be & truesec.be). Trust me, my domain names have no relation at all with XCodeGhost! I don’t want to blame the company behind this, I’m sure that plenty of other crawlers are doing the same job. But, just be warned: automation is not always accurate. Worse, some organizations can collect those IOC’s and implement blocking rules in firewalls, proxies based on them. It can be a disaster if sensitive domains become automagically blacklisted! Think about this…

 

[The post Good IOC VS. Bad IOC: When Automation Fails… has been first published on /dev/random]


Source: /sliaf-noitamotua-nehw-coi-dab-sv-coi-doog/12/90/5102/eb.llehstoor.golb

Read:2336 | Comments:0 | Tags:Security Uncategorized Automation Crawler Fail IOC

“Good IOC VS. Bad IOC: When Automation Fails…”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud