One Article Review
| Source |  taosecurity |
|---|---|
| Identifiant | 918838 |
| Date de publication | 2018-11-25 15:48:54 (vue: 2018-11-25 22:03:40) |
| Titre | The Origin of the Term Indicators of Compromise (IOCs) |
| Texte |  I am an historian. I practice digital security, but I earned a bachelor's of science degree in history from the United States Air Force Academy. (1)Historians create products by analyzing artifacts, among which the most significant is the written word.In my last post, I talked about IOCs, or indicators of compromise. Do you know the origin of the term? I thought I did, but I wanted to rely on my historian's methodology to invalidate or confirm my understanding.I became aware of the term "indicator" as an element of indications and warning (I&W), when I attended Air Force Intelligence Officer's school in 1996-1997. I will return to this shortly, but I did not encounter the term "indicator" in a digital security context until I encountered the work of Kevin Mandia.In August 2001, shortly after its publication, I read Incident Response: Investigating Computer Crime, by Kevin Mandia, Chris Prosise, and Matt Pepe (Osborne/McGraw-Hill). I was so impressed by this work that I managed to secure a job with their company, Foundstone, by April 2002. I joined the Foundstone incident response team, which was led by Kevin and consisted of Matt Pepe, Keith Jones, Julie Darmstadt, and me.I Tweeted earlier today that Kevin invented the term "indicator" (in the IR context) in that 2001 edition, but a quick review of the hard copy in my library does not show its usage, at least not prominently. I believe we were using the term in the office but that it had not appeared in the 2001 book. Documentation would seem to confirm that, as Kevin was working on the second edition of the IR book (to which I contributed), and that version, published in 2003, features the term "indicator" in multiple locations.In fact, the earliest use of the term "indicators of compromise," appearing in print in a digital security context, appears on page 280 in Incident Response & Computer Forensics, 2nd Edition. From other uses of the term "indicators" in that IR book, you can observe that IOC wasn't a formal, independent concept at this point, in 2003. In the same excerpt above you see "indicators of attack" mentioned.The first citation of the term "indicators" in the 2003 book shows it is meant as an investigative lead or tip: |
| Envoyé | Oui |
| Condensat | writing in 2003 2010 2011:frazier 2018 about added all analyst bad based been bejtlich blogspot book building called can citations classes com compromise consume contains context copyright credit csv current data debate defining definition descriptions designed detection developed early editor elements emphasis entries evidence exchanged existence express file files forensic format found frazier free from garfinkel gave has hash his historically how however imprecise incident indicator indicators information initially introduced invented iocs kevin known laden language later length looked malware mandatory mandia mandiant manipulating matt md5 name not note off origin paper paragraphs particular pdfs persistent produce recognized registry related respected response richard scan see signatures simson size stem such tables taosecurity term than thank them these threat tl;dr tool usafa usage use value values well widely work would written www xml “advanced ”starting |
| Tags | Malware Tool Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.