Security will find indications of compromise revealed in public disclosures exponentially more valuable if they find a way to go back and compare historical data against the new intelligence. Credit: Kevin Ku On March 27, 2018, US-CERT publicly disclosed widespread cyber-attacks on domestic energy and other infrastructure locations. These attacks had been occurring since at least March 2016 and had successfully compromised a number of locations including some nuclear facilities, water, and aviation locations.This was not a typical drive-by attack. It was a systematic, multi-staged effort that advanced up the kill chain and utilized several sophisticated targeting techniques including spear-phishing, watering-hole domains, and ultimately the targeting of industrial control systems infrastructure.Some details of this attack became known to the targets by at least September 2017, approximately six months before the public disclosure.Arming yourself against future attacksThe emergency readiness team produced a comprehensive document that described the full strategy and tactics used by the attackers. This included details of the entire kill chain, from the reconnaissance phase, through lateral spread to other devices on their network. When they published their findings, they highlighted important “indicators of compromise” (IOCs) including: Suspicious URLsSuspicious IP addressesMD5 Hashs and filenames associated with a malware attackWith these IOCs, organizations can arm themselves against similar attacks in the future. These can be used to provide network security tools, including firewalls, IPS/IDS, and web proxies with a list of the IP addresses and URLs to interfere with the communication lines for this attack. In addition, the MD5 hashes allow network and endpoint solutions to be aware of the malware associated with this group.The challenge is that once these IOCs are known, it becomes less likely that these same adversaries will continue to use them. This is because it becomes more difficult to use the same strategy once your targets become aware of your tactics. Some copycat adversaries may use this as a blueprint for ways to launch similar attacks, but these adversaries are often less resourceful than the originators of the attack. So, while having public disclosure of the details and IOCs are useful, often the security operations team is left wondering what they may have prevented had they been informed of these IOCs six months earlier and not after they become less valuable.Hindsight is key to good threat huntingAn organization would be able to use these IOCs to discover new attacks using the same techniques – and to look into the past to identify whether these important markers were present before you became aware of them. Unfortunately, most organizations do not have easy access to this information, and you can’t start after there has been a big discovery. The US-CERT announcement should be the wake-up call to not just monitor and track the information frequently associated with IOCs, but also to include a simple and consolidated method to search for these following an announcement like this. Many organizations already log this data but isn’t always collected, archived and maintained in a system that is easily queried. As a result, this data is used in forensics to determine how a serious breach occurred, once it is discovered, but it isn’t often the vehicle that enables this detection itself. Now is the time to ask yourself: If there is a new discovery, where can I go to discover if there was any evidence of it in my environment?Where can I go to look for URLs, domain names and remote IP addresses?Where can I obtain a list of all new MD5 hashes downloaded into my network and on which systems did they land?Once your team has this information, the next step is to develop a process around which new discoveries are investigated: How and when are new discoveries investigated?If your team does discover a hidden threat, exposed by this new information, does eliminating the threat on the discovered device also eradicate it throughout your entire network?What can you learn from this discovered device to ensure there are no other threats lying dormant in your environment?Ultimately, you can only depend on real-time detection techniques to a point, but study newly discovered IOCs will help uncover the more important threat: The ones hidden on your network. Related content opinion Threat detection: it’s about ‘time’ Incident response is a slave to time. From time-to-detection through time-to-containment, time is the crucial factor when responding to any threat. By Druce MacFarlane Sep 10, 2018 6 mins Intrusion Detection Software Endpoint Protection Network Security opinion Are network-based security detection tools going dark? For years, network security and detection solutions have been able to rapidly identify threats entering your network, before they hit your infrastructure or end users. The increased adoption of network encryption technologies like TLS 1.3 risk the cr By Druce MacFarlane Jul 18, 2018 6 mins Technology Industry Network Security opinion The Three Mile Island event and cybersecurity incident response Managing the deluge of data and alerts in a SOC can be challenging for any size organization. Observing the lessons learned from the Three Mile Island nuclear facility can help drive home some best practices for how to avoid common pitfalls. By Druce MacFarlane Jun 18, 2018 4 mins Technology Industry Data and Information Security IT Leadership opinion The 3 hidden costs of incident response Every business function seeks to apply finite resources to maximum benefit, and to do that effectively in security, like threats, requires a keen understanding of those costs that are known and those that are hiding. By Druce MacFarlane May 10, 2018 5 mins Data Breach Investigation and Forensics Disaster Recovery Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe