Indicators of Compromise

WitFoo’s Global Indicator of Compromise feed is a secure and reliable way for the WitFoo community to share intelligence about emerging threat sources.

The feed is updated in near-real time as attacks occur across the WitFoo Community. It consists of the IP address and hostname of the attacking source, the tools and methods that the community is using to detect the threat and how many incidents the source has been a part of across the community.

Hits in the feed are automatically shared across the entire community and big data stacks of each deployment are retrospectively analyzed to find hits that may have been missed. All records including firewall, proxy, EDR and NetFlow records are checked for communications with the known bad indicators.

Matches against the feed trigger new alerts that create new incidents or are stitched into new incidents.

Submissions to the feed are automatically handled by Precinct if customers opt-in to the feed. Consuming the feed requires participation in submissions. All submissions are anonymous.

For an indicator to be submitted to WitFoo Library for analysis, the offending source must have a suspicion of at least 0.75. This is achieved through Precinct’s Human suspicion modeling. Suspicion is a score from 0 to 1 that represents certainty of nefarious activity. Automatic observations derived from enrichment move the score closer to 0 or closer to 1. In this example we can see several observations that have driven up suspicion.

Additionally, we can see this host is listed on the Global IOC feed.

In scenarios where specific security tools are providing gap overlap detection, community members with those tools can share the Indicators with community members that do not currently use those tools. This not only allows the Community to share threat intelligence to respond to advanced attackers, but it also allows Community members to safely share the effectiveness of what security tools are able to detect these types of advanced threats. This data is extremely helpful in making purchasing decisions.

By allowing WitFoo Community members to safely share reliable emerging threat data, WitFoo customers can quickly respond to emerging threats while identifying holes in security architecture.

WitFoo Global IOC Feed is threat intelligence, leveled up.

The post WitFoo Global Community Indicator of Compromise (IOC) Feed Demo appeared first on WitFoo.