Back to Details

analyzing-indicators-of-compromise

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Analyzing Indicators of Compromise

入侵指标(IOC)分析

When to Use

使用场景

Use this skill when:
  • A phishing email or alert generates IOCs (URLs, IP addresses, file hashes) requiring rapid triage
  • Automated feeds deliver bulk IOCs that need confidence scoring before ingestion into blocking controls
  • An incident investigation requires contextual enrichment of observed network artifacts
Do not use this skill in isolation for high-stakes blocking decisions — always combine automated enrichment with analyst judgment, especially for shared infrastructure (CDNs, cloud providers).
在以下场景中使用本技能:
  • 钓鱼邮件或警报生成了需要快速分类的IOC(URL、IP地址、文件哈希)
  • 自动化威胁源批量推送IOC,需要先进行置信度评分再导入拦截控制体系
  • 事件调查需要为观测到的网络工件添加上下文情报补充
请勿单独使用本技能做出高风险拦截决策——始终要将自动化情报富集与分析师判断相结合,尤其是针对共享基础设施(CDN、云服务商)的情况。

Prerequisites

前置条件

  • VirusTotal API key (free or Enterprise) for multi-AV and sandbox lookup
  • AbuseIPDB API key for IP reputation checks
  • MISP instance or TIP for cross-referencing against known campaigns
  • Python with 
    requests
    and 
    vt-py
    libraries, or SOAR platform with pre-built connectors
  • 用于多引擎杀毒和沙箱查询的VirusTotal API密钥(免费版或企业版)
  • 用于IP信誉核查的AbuseIPDB API密钥
  • 用于交叉比对已知攻击活动的MISP实例或威胁情报平台(TIP)
  • 安装了
    requests
    vt-py
    库的Python环境,或带有预构建连接器的SOAR平台

Workflow

工作流程

Step 1: Normalize and Classify IOC Types

步骤1:标准化并分类IOC类型

Before enriching, classify each IOC:
  • IPv4/IPv6 address: Check if RFC 1918 private (skip external enrichment), validate format
  • Domain/FQDN: Defang for safe handling (
    evil[.]com
    ), extract registered domain via tldextract
  • URL: Extract domain + path separately; check for redirectors
  • File hash: Identify hash type (MD5/SHA-1/SHA-256); prefer SHA-256 for uniqueness
  • Email address: Split into domain (check MX/DMARC) and local part for pattern analysis
Defang IOCs in documentation (replace 
.
with 
[.]
and 
://
with 
[://]
) to prevent accidental clicks.
在进行情报富集前,对每个IOC进行分类:
  • IPv4/IPv6地址:检查是否为RFC 1918私有地址(跳过外部情报富集),验证格式合法性
  • 域名/完全限定域名(FQDN):进行Defang处理以安全操作(如
    evil[.]com
    ),通过tldextract提取注册域名
  • URL:分别提取域名和路径;检查是否存在跳转器
  • 文件哈希:识别哈希类型(MD5/SHA-1/SHA-256);优先使用SHA-256以确保唯一性
  • 电子邮件地址:拆分为域名(检查MX/DMARC配置)和本地部分,进行模式分析
在文档中对IOC进行Defang处理(将
.
替换为
[.]
,将
://
替换为
[://]
),以防止意外点击。

Step 2: Multi-Source Enrichment

步骤2:多源情报富集

VirusTotal (file hash, URL, IP, domain):
python
import vt

client = vt.Client("YOUR_VT_API_KEY")
VirusTotal(文件哈希、URL、IP、域名):
python
import vt

client = vt.Client("YOUR_VT_API_KEY")

File hash lookup

File hash lookup

file_obj = client.get_object(f"/files/{sha256_hash}") detections = file_obj.last_analysis_stats print(f"Malicious: {detections['malicious']}/{sum(detections.values())}")
file_obj = client.get_object(f"/files/{sha256_hash}") detections = file_obj.last_analysis_stats print(f"Malicious: {detections['malicious']}/{sum(detections.values())}")

Domain analysis

Domain analysis

domain_obj = client.get_object(f"/domains/{domain}") print(domain_obj.last_analysis_stats) print(domain_obj.reputation) client.close()

**AbuseIPDB (IP addresses)**:
```python
import requests

response = requests.get(
    "https://api.abuseipdb.com/api/v2/check",
    headers={"Key": "YOUR_KEY", "Accept": "application/json"},
    params={"ipAddress": "1.2.3.4", "maxAgeInDays": 90}
)
data = response.json()["data"]
print(f"Confidence: {data['abuseConfidenceScore']}%, Reports: {data['totalReports']}")
MalwareBazaar (file hashes):
python
response = requests.post(
    "https://mb-api.abuse.ch/api/v1/",
    data={"query": "get_info", "hash": sha256_hash}
)
result = response.json()
if result["query_status"] == "ok":
    print(result["data"][0]["tags"], result["data"][0]["signature"])
domain_obj = client.get_object(f"/domains/{domain}") print(domain_obj.last_analysis_stats) print(domain_obj.reputation) client.close()

**AbuseIPDB(IP地址)**:
```python
import requests

response = requests.get(
    "https://api.abuseipdb.com/api/v2/check",
    headers={"Key": "YOUR_KEY", "Accept": "application/json"},
    params={"ipAddress": "1.2.3.4", "maxAgeInDays": 90}
)
data = response.json()["data"]
print(f"Confidence: {data['abuseConfidenceScore']}%, Reports: {data['totalReports']}")
MalwareBazaar(文件哈希):
python
response = requests.post(
    "https://mb-api.abuse.ch/api/v1/",
    data={"query": "get_info", "hash": sha256_hash}
)
result = response.json()
if result["query_status"] == "ok":
    print(result["data"][0]["tags"], result["data"][0]["signature"])

Step 3: Contextualize with Campaign Attribution

步骤3:结合攻击活动归因补充上下文

Query MISP for existing events matching the IOC:
python
from pymisp import PyMISP

misp = PyMISP("https://misp.example.com", "API_KEY")
results = misp.search(value="evil-domain.com", type_attribute="domain")
for event in results:
    print(event["Event"]["info"], event["Event"]["threat_level_id"])
Check Shodan for IP context (hosting provider, open ports, banners) to identify if the IP belongs to bulletproof hosting or a legitimate cloud provider (false positive risk).
查询MISP以匹配IOC的现有事件:
python
from pymisp import PyMISP

misp = PyMISP("https://misp.example.com", "API_KEY")
results = misp.search(value="evil-domain.com", type_attribute="domain")
for event in results:
    print(event["Event"]["info"], event["Event"]["threat_level_id"])
查询Shodan获取IP上下文信息(托管服务商、开放端口、横幅),以判断该IP是否属于防弹托管服务或合法云服务商(存在误报风险)。

Step 4: Assign Confidence Score and Disposition

步骤4:分配置信度评分与处置方案

Apply a tiered decision framework:
  • Block (High Confidence ≥ 70%): ≥15 AV detections on VT, AbuseIPDB score ≥70, matches known malware family or campaign
  • Monitor/Alert (Medium 40–69%): 5–14 AV detections, moderate AbuseIPDB score, no campaign attribution
  • Whitelist/Investigate (Low <40%): ≤4 AV detections, no abuse reports, legitimate service (Google, Cloudflare CDN IPs)
  • False Positive: Legitimate business service incorrectly flagged; document and exclude from future alerts
应用分层决策框架:
  • 拦截(高置信度 ≥70%):VirusTotal上≥15个杀毒引擎检测为恶意,AbuseIPDB评分≥70,匹配已知恶意软件家族或攻击活动
  • 监控/告警(中置信度40–69%):5–14个杀毒引擎检测为恶意,AbuseIPDB评分中等,无攻击活动归因
  • 白名单/深入调查(低置信度<40%):≤4个杀毒引擎检测为恶意,无滥用报告,属于合法服务(如Google、Cloudflare CDN IP)
  • 误报:被错误标记为恶意的合法业务服务;记录并排除在未来的警报之外

Step 5: Document and Distribute

步骤5:记录与分发

Record findings in TIP/MISP with:
  • All enrichment data collected (timestamps, source, score)
  • Disposition decision and rationale
  • Blocking actions taken (firewall, proxy, DNS sinkhole)
  • Related incident ticket number
Export to STIX indicator object with confidence field set appropriately.
在TIP/MISP中记录以下发现:
  • 收集到的所有情报富集数据(时间戳、来源、评分)
  • 处置决策及理由
  • 已执行的拦截操作(防火墙、代理、DNS sinkhole)
  • 相关事件工单编号
导出为STIX指标对象,并正确设置置信度字段。

Key Concepts

核心概念

TermDefinition
IOCIndicator of Compromise — observable network or host artifact indicating potential compromise
EnrichmentProcess of adding contextual data to a raw IOC from multiple intelligence sources
DefangingModifying IOCs (replacing 
.
with 
[.]
) to prevent accidental activation in documentation
False Positive RatePercentage of benign artifacts incorrectly flagged as malicious; critical for tuning block thresholds
SinkholeDNS server redirecting malicious domain lookups to a benign IP for detection without blocking traffic entirely
TTLTime-to-live for an IOC in blocking controls; IP indicators should expire after 30 days, domains after 90 days
术语定义
IOC入侵指标——可观测的网络或主机工件,表明可能存在入侵行为
Enrichment从多个情报源为原始IOC添加上下文数据的过程
Defanging修改IOC(将
.
替换为
[.]
)以防止在文档中意外触发的处理方式
误报率被错误标记为恶意的良性工件占比;对调整拦截阈值至关重要
Sinkhole将恶意域名查询重定向到良性IP的DNS服务器,用于检测而非完全拦截流量
TTLIOC在拦截控制中的存活时间;IP指标应在30天后过期,域名指标在90天后过期

Tools & Systems

工具与系统

  • VirusTotal: Multi-engine malware scanner and threat intelligence platform with 70+ AV engines, sandbox reports, and community comments
  • AbuseIPDB: Community-maintained IP reputation database with 90-day abuse report history
  • MalwareBazaar (abuse.ch): Free malware hash repository with YARA rule associations and malware family tagging
  • URLScan.io: Free URL analysis service that captures screenshots, DOM, and network requests for phishing URL triage
  • Shodan: Internet-wide scan data providing hosting provider, open ports, and banner information for IP enrichment
  • VirusTotal:多引擎恶意软件扫描器和威胁情报平台,集成70+杀毒引擎、沙箱报告和社区评论
  • AbuseIPDB:社区维护的IP信誉数据库,包含90天内的滥用报告历史
  • MalwareBazaar (abuse.ch):免费的恶意软件哈希仓库,关联YARA规则并标记恶意软件家族
  • URLScan.io:免费的URL分析服务,捕获截图、DOM和网络请求,用于钓鱼URL分类
  • Shodan:互联网范围的扫描数据平台,提供托管服务商、开放端口和横幅信息,用于IP情报富集

Common Pitfalls

常见陷阱

  • Blocking shared infrastructure: CDN IPs (Cloudflare 104.21.x.x, AWS CloudFront) may legitimately host malicious content but blocking the IP disrupts thousands of legitimate sites.
  • VT score obsession: Low VT detection count does not mean benign — zero-day malware and custom APT tools often score 0 initially. Check sandbox behavior, MISP, and passive DNS.
  • Missing defanging: Pasting live IOCs in emails or Confluence docs can trigger automated URL scanners or phishing tools.
  • No expiration policy: IOCs without TTLs accumulate in blocklists indefinitely, generating false positives as infrastructure is repurposed by legitimate users.
  • Over-relying on single source: VirusTotal aggregates AV opinions — all may be wrong or lag behind emerging malware. Use 3+ independent sources for high-stakes decisions.
  • 拦截共享基础设施:CDN IP(如Cloudflare 104.21.x.x、AWS CloudFront)可能被用于托管恶意内容,但拦截该IP会中断数千个合法站点的服务。
  • 过度依赖VirusTotal评分:VirusTotal检测数量低并不代表安全——零日恶意软件和定制APT工具初始评分通常为0。需检查沙箱行为、MISP数据和被动DNS信息。
  • 未进行Defang处理:在邮件或Confluence文档中粘贴未处理的IOC可能触发自动URL扫描器或钓鱼工具。
  • 无过期策略:没有TTL的IOC会在拦截列表中无限累积,随着基础设施被合法用户重新利用,会产生大量误报。
  • 过度依赖单一数据源:VirusTotal聚合杀毒引擎的判断——所有引擎可能都出错或滞后于新型恶意软件。高风险决策需使用3个以上独立数据源。