The Problem with Indicator Lists

AlphaSOC processes 3B daily network events from customer environments across technology, healthcare, defense, retail, finance, and higher education verticals. Security teams send us their DNS, firewall, and web proxy logs in particular, which we process to uncover both known and unknown threats.

At a high level, our analytics stack performs layered processing:

  1. Correlation of FQDNs, IPs, and URLs with indicator lists
  2. Volumetric and timing analysis to identify traffic surges and beaconing
  3. Deep feature analysis to flag imposter domains, perplexing domains, etc.
  4. Use of third-party services (e.g. WHOIS) to provide further context

To provide the first layer of coverage and correlate network events with intelligence, we built a threat intelligence platform (TIP) that ingests C2 destinations from many open and commercial sources. In this post, we dig into the efficacy of indicator lists and provide insight into ROI and coverage.

Identifying Live Malware Campaigns

If we take the recent C2 indicators added to the AlphaSOC TIP, and then assess which actually hit within customer environments, we can measure the efficacy of threat feeds to identify active malware campaigns.

Looking back over the last 90 days:

  • 16,693 new C2 domains were added
  • 7,027 new C2 IP addresses were added
  • We processed 234B network events from 357,381 unique endpoints
  • We uncovered 12 systems communicating with 15 distinct C2 destinations
  • 99.94% of the C2 indicators were not seen in any environment

Uncovering Legacy Infections

The AlphaSOC TIP contains an additional 81,550 indicators that have aged beyond 90 days (up to 3 years). Across the 357,381 endpoints, we find a further 665 hosts communicating with 4,659 legacy C2 destinations. As represented below, 98.23% of the infected hosts trigger on legacy indicators.

98% of the value provided by network indicator lists relates to the identification of legacy malware campaigns (where the C2 infrastructure is often unavailable). Less than 2% of the indicators that triggered relate to recent malware campaigns.

Moving Beyond Indicator Lists

During the same period we also identified infected systems beaconing to odd destinations through deep analytics (beyond one-dimensional correlation with indicator lists). The AlphaSOC Analytics Engine performs heavy lifting to flag patterns including:

  • Domain generation algorithm (DGA) traffic
  • Connections to dynamic DNS domains with positive VirusTotal scores
  • Network sources performing DNS and ICMP tunneling
  • Clusters of suspicious events indicative of infection (e.g. a URL shortener lookup, followed by traffic to a young domain, and finally Tor traffic)

Through scoring network telemetry across additional dimensions we were able to identify many of the known infected hosts, along with a further 31 unknown systems, as below.

In Closing

We find that only 0.06% of indicators are useful in identifying live malware campaigns. While some threats can be uncovered through indicator lists, security teams are 2.5 times more likely to identify malware campaigns through hunting — either through manual methods, or automation via our analytics stack and integrations for Splunk, Corelight, Demisto, and so on.