The Problem with Indicator Lists

Chris McNab
May 11 · 3 min read

AlphaSOC processes 3B daily network events from customer environments across technology, healthcare, defense, retail, finance, and higher education verticals. Security teams send us their DNS, firewall, and web proxy logs in particular, which we process to uncover both known and unknown threats.

At a high level, our analytics stack performs layered processing:

  1. Correlation of FQDNs, IPs, and URLs with indicator lists
  2. Volumetric and timing analysis to identify traffic surges and beaconing
  3. Deep feature analysis to flag imposter domains, perplexing domains, etc.
  4. Use of third-party services (e.g. WHOIS) to provide further context

To provide the first layer of coverage and correlate network events with intelligence, we built a threat intelligence platform (TIP) that ingests C2 destinations from many open and commercial sources. In this post, we dig into the efficacy of indicator lists and provide insight into ROI and coverage.

Identifying Live Malware Campaigns

Looking back over the last 90 days:

  • 16,693 new C2 domains were added
  • 7,027 new C2 IP addresses were added
  • We processed 234B network events from 357,381 unique endpoints
  • We uncovered 12 systems communicating with 15 distinct C2 destinations
  • 99.94% of the C2 indicators were not seen in any environment

Uncovering Legacy Infections

98% of the value provided by network indicator lists relates to the identification of legacy malware campaigns (where the C2 infrastructure is often unavailable). Less than 2% of the indicators that triggered relate to recent malware campaigns.

Moving Beyond Indicator Lists

  • Domain generation algorithm (DGA) traffic
  • Connections to dynamic DNS domains with positive VirusTotal scores
  • Network sources performing DNS and ICMP tunneling
  • Clusters of suspicious events indicative of infection (e.g. a URL shortener lookup, followed by traffic to a young domain, and finally Tor traffic)

Through scoring network telemetry across additional dimensions we were able to identify many of the known infected hosts, along with a further 31 unknown systems, as below.

In Closing

AlphaSOC

AlphaSOC Blog

Chris McNab

Written by

Author of Network Security Assessment (O’Reilly Media) and co-founder of AlphaSOC, Inc.

AlphaSOC

AlphaSOC

AlphaSOC Blog