Modern organizations are facing the severe challenge of effectively countering threats and mitigating Indicators of Compromise (IOCs) within their network environments. The increasing complexity and volume of cyber threats has highlighted the urgency of building robust mechanisms to block specific IOCs independently. While some organizations have adopted Endpoint Detection and Response (EDR) systems, these solutions often have limitations and require manual processes to collect and examine IOCs from multiple sources. These operational barriers prevent organizations from achieving a proactive and efficient defense posture, an obstacle that is particularly important due to the critical role that IOC blocking plays in containing the spread of threats and limiting potential damage. Hence, the need for a solution that orchestrates automated IOC blocking, utilizing tools such as AlienVault Open Threat Exchange (OTX), VirusTotal, CrowdStrike, and Slack. In this presentation, we examine the importance of automated IOC blocking and its potential to strengthen network security, while highlighting the critical role that these tools play in mitigating evolving cyber threats.
Automated IOC Detection and Response through Seamless Orchestration.pdf
1. Mohammad Febri, Akshantula Neha
November 5, 2023
IDSECCONF2023, Primakara University
Bali
Cyber Harmony:
Automated IOC Detection and Response
through Seamless Orchestration
2. Introduction
Akshantula Neha
Software Development Engineer in Test at Halodoc
Woman in cybersecurity from the National Institute of Engineering, Mysuru, India
ISC2 Certified in Cybersecurity
Mohammad Febri
Sr. Engineering Manager at Halodoc
Cybersecurity researcher and open-source contributor
CEH, OSCP, GCIH
6. Problem Statements
❏ Indicator of compromise (IOC) are improving all the time.
❏ The IOCs must be analyzed and takes time.
❏ Relying on outdated data.
Objectives
❏ Establish and improve the security posture for the organization.
❏ Create automated threat detection and response.
❏ Provide up to data and real-time alerting.
16. Pros and Cons
Pros Cons
Implement this
● Automated analysis and
programmatically block.
● Allocate time to focus other.
● Leveraging updated IOCs.
● Human prone error during analysis
is avoided
● API limitation from VirusTotal.
● Need to maintain regularly
(pipeline, key/token, repo, etc).
Not Implement
This
● IOCs less related to organisation
may be analysed and added.
● No need to integrate other tools
● Manual analysis which involves
traditional blocking approach.
● Spending some time.
● IOCs not up to date.
● May involve human prone error
during analysis.
17. FAQ
Q: Can we add IOCs from other resources?
A: Absolutely, as long as there is a IOC standardisation format.
Q: Is it required to manually run the script every time?
A: The existing scripts run periodically via automation job through jenkins. We may configure it
daily or real-time for sure.
Q: Will IOCs be stored? If yes, for how long?
A: Crowdstrike continues to block the IOCS as long as they are available.
Q: What will happen if the API exceed the limit?
A: Unfortunately, the rate limit will error. However, we can started to consider rate limit
monitoring, caching mechanism, prioritize request, or upgrade the plan.
Q:Any details or description provided by OTX AlienVault on IOCs?
A: Yes, descriptions are provided by AlienVault and can be customized as needed.
19. What Next?
Adjust
Adjust if any
improvements are
required. For instance
threshold, type of IOCs
IOA
Started to
consider the
Indicator of Attack
(IOA)
AI
Utilise AI to identify
the traffic anomaly,
malicious
behaviour/ pattern,
etc
01 02 03
20. CREDITS: This presentation template was created by Slidesgo, and
includes icons by Flaticon, and infographics & images by Freepik
Thanks!
Any questions?
Let’s connect with us on Linkedin:
● https://www.linkedin.com/in/mohammadfebriramadlan/
● https://www.linkedin.com/in/akshantula-neha-55859922b/