Configure Indicators of Compromise

The Indicators of Compromise (IOC) for the Malware Analysis scoring modules are configured since, each Malware Analysis scoring module -- Network, Static, Community, Sandbox, and YARA -- has a default set of Indicators of Compromise (IOCs) that it uses to evaluate the file and session data in order to assess the likelihood of malware being present.

Each IOC is assigned a numeric score weighting between -100 (good) and 100 (bad). When an IOC triggers, the numeric score weighting is factored into the total score for the session or file being analyzed. The individual score weightings for all matched IOCs are aggregated to produce the resulting score for each session or file. The aggregated score is adjusted to ensure that it does not exceed the valid score range (-100 through 100).

Note: The score weighting assigned to an IOC is not always the explicit score value that is aggregated (it is not a simple addition of score weights for each IOC that triggers). Instead, the IOC's score is a weighting or indicator of importance that is factored into calculating an overall score.

The Indicators of Compromise (IOC) configuration settings for Malware Analysis are in the Service Config view > Indicators of Compromise tab. Below is an example of the tab.

122_MaCon_IndicatorsofCompromise_1222.png

Using the Community - File Hash: AntiVirus (Primary Vendor) Flagged File IOC as an example, the IOC's score weighting could be set to 100. However, Malware Analysis dilutes this value based on the percentage of primary AV vendors that agree if the sample is malicious. The closer to 100% of the vendors who agree that the sample is malicious, the closer to the full 100 points are used in aggregating a score. As the percentage drops closer to 0%, the proportion of the full 100 points used in the aggregated score drops.

IOCs use logic implemented natively in Malware Analysis. You cannot adjust the logic. Instead, you can only adjust the IOC to increase or decrease its impact on scoring, to indicate a confidence setting, or to turn the IOC on or off. The typical scenario is to adjust a limited set of IOC score weighting values downward for IOCs that are inflating the final score and causing false positive analysis results. An extreme version of tuning would be to disable the IOCs entirely if they consistently contribute to false positive results. Additionally, the flexibility exists to allow you to disable all IOCs and to choose a select few to leave enabled. For example, all IOCs can be disabled with the exception of a select few IOCs that detect AntiVirus matches. Using Malware Analysis in this extremely limited configuration, you can reduce results in Malware Analysis such that only known A/V matches generate results.

You can configure this functionality in several ways:

  • Disable IOCs so that they are not evaluated as part of the scoring module to which they are assigned.
  • Adjust the score weight for an IOC such that its impact on the aggregated score is increased or decreased.
  • Mark IOCs that you expect to be strong indicators of malware and display a high-confidence (HC) flag on sessions that triggered these IOCs in the Malware Analysis results.
  • Customize score and confidence settings uniquely to the file type being analyzed. Each IOC is pre-assigned a file type to which it is applied. Possible values are ALL, PDF, MS Office, and Windows PE. The IOC with the most applicable file type is used during file-based analysis. For example, if a PDF is analyzed, an IOC with a file type set to PDF will be chosen rather than the same IOC with a file type set to ALL. If no file-type specific match is found, the IOC with a file type set to ALL is selected.
  • Search for rules to display in the grid based on a match to the rule description.

Filter Displayed IOCs by Module

You can filter the displayed IOCs by scoring module: one of the four built-in modules or YARA. YARA-based IOCs are interleaved with the native IOCs with each category. Although the YARA IOCs are not identified as such in the other views, you can select YARA from the Module selection list to see a list of YARA rules.

To view the IOCs for one or the four scoring modules or for YARA:

    1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
    2. Select a Malware Analysis service.
    3. In the row, select netwitness_macon_settingsicon.png > View > Config.
    4. Click the Indicators of Compromise tab.
    5. In the Module selection list, select All, NextGen, Static, Community, Sandbox, or YARA.
      The configured rules and settings for the module are displayed.
122_MaCon_IoCOptions_1222.png

Filter Displayed Modules to Show Only Modified Modules

The Indicators of Compromise tab visually identifies IOCs that are locally modified. When an IOC has been modified, for example, the score weight has been changed, and the name is displayed in red and includes a modification indicator appended to the IOC name. The modification indicator is ++ and can be used as a filtering mechanism when searching for IOCs.
To limit the display to locally modified IOCs:

  1. In the Description field, enter ++.
  2. Click Search.
    The view is filtered to show only modified IOCs.

Enable and Disable IOCs for a Scoring Module

When an IOC is disabled, it no longer impacts the aggregate score for the scoring module to which it belongs. If the IOC has multiple instances (differentiated only by file type), disabling a more file-type specific IOC results in use of the more file-type agnostic version of the IOC in scoring.

For example, if the same IOC exists as file type ALL and file type Windows PE, disabling the Windows PE instance of the IOC causes the ALL version to be used in scoring. In order to disable the IOC entirely for Windows PE, while leaving the IOC enabled for other file types, set the score weighting of the Windows PE instance of the IOC to a value of zero as described below. This leaves the IOC enabled for Windows PE files (although it has a zero weighting and is suppressed from being displayed in analysis results), while not affecting the other file types. The remaining file types will continue to use the ALL instance of the IOC.

To enable or disable an IOC so that it no longer factors into a scoring module:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. Select a Malware Analysis service, and in the row select netwitness_macon_settingsicon.png> View > Config.
  3. Click the Indicators of Compromise tab.
  4. In the Module selection list, select a scoring module: All, Community, Network, Sandbox, Static, or YARA.
    The configured rules and settings for the module are displayed.
  5. Do one of the following:
    1. Click the Enabled checkbox in the column next to a rule that you want to enable.
    2. Select one or more rules, and click Enable or Disable in the toolbar.
    3. To toggle between Enabled and Disabled for all rules displayed on the page, click the Enabled checkbox in the column title.
    4. To enable or disable all rules for the scoring module, click Enable All or Disable All in the toolbar.
  6. To save the changes to the page, click Save in the toolbar.

Note: Rules that have changed settings are displayed with a red corner. If you navigate to another page of rules before saving, all changes to this page are lost.

Adjust the Score Weight for an IOC

Adjusting the score weight for an IOC increases or decreases the IOC's overall impact on the aggregate score for the module in which it is configured. To raise or lower the overall impact of the IOC, reduce the current value to a new setting.

  • Values ranging from -100 to -1 indicate that the session or file being analyzed is not likely to be malware (-100 being the least likelihood).
  • Values ranging from 1 to 100 indicate a likelihood that the file or session being analyzed is malware (100 being the highest likelihood).
  • Setting the value to zero leaves the IOC enabled, but causes the IOC to no longer impact the aggregate score and suppresses the IOC from being displayed in analysis results. Setting the value to zero is a method of disabling a file-type specific instance of an IOC while leaving the original file-type agnostic instance of the rule intact for scoring of the remaining file types.

To adjust the score weight:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. Select a Malware Analysis service.
  3. In the row, selectnetwitness_macon_settingsicon.png > View > Config.
  4. Click the Indicators of Compromise tab.
  5. In the Module selection list, select a scoring module: All, Network, Static, Community, Sandbox or YARA.
    The configured rules and settings for the module are displayed.
  6. Do one of the following:
    1. Drag the score slider left or right to decrease or increase the score weight.
    2. Click directly on the displayed score weight and enter a new score weight.
  7. To save the changes to the page, click Save in the toolbar.

Note: Rules that have changed settings are displayed with a red corner. If you navigate to another page of rules before saving, all changes to this page are lost.

Set the High Confidence Flag for an IOC

The High Confidence setting is used as a method of flagging specific IOCs as high confidence indicators that malware is present. As an example, the Community - File Hash: AntiVirus (Primary Vendor) Flagged File IOC has a low probability of being a false positive, combined with a high probability of being an accurate measurement of malware being present. By flagging this IOC (and others) as High Confidence, you can use a filter in the Malware Analysis results to limit display to only those sessions that include one or more high confidence rules. By doing so, the display is limited to a smaller subset of results whose accuracy is accorded a higher degree of confidence. Displaying results not limited to high confidence IOCs still allows you to review results that are more grey in nature. This provides for results that are less prone to false negative results. Choosing to filter or to not filter results based on confidence level has a valid use case in the NetWitness workflow.

To set the High Confidence flag:

  1. In the Indicators of Compromise tab, select a scoring module from the Module selection list: All, Network, Static, Community, Sandbox, or YARA.
    The configured rules and settings for the module are displayed.
  2. Click the High Confidence checkbox in the column next to a rule that you want to flag or unflag as highly likely to indicate the presence of malware in a session when matched.
  3. To save the changes to the page, click Save in the toolbar.

Note: Rules that have changed settings are displayed with a red corner. If you navigate to another page of rules before saving, all changes to this page are lost.

Reset IOCs to Default Settings

  1. In the Indicators of Compromise tab, select a scoring module from the Module selection list: All, Network, Static, Community, Sandbox, or YARA.
    The configured rules and settings for the module are displayed.
  2. If you want to reset all rules on the current page to their default settings, click Reset in the toolbar.
  3. If you want to reset all rules for the selected scoring module to default settings, click Reset All in the toolbar.
  4. To save changes to the page, click Save in the toolbar.