We use cookies to improve your experience. Do you accept?

Skip to main content

Manage Custom Threat Indicators (IOCs) with CFTR version 2.1

Manage Custom Threat Indicators (IOCs) with CFTR version 2.1 - Featured Image

Indicators of Compromise (IoCs) May 1, 2020

What are Custom Threat Indicators?

  • Custom threat indicators are specialized patterns of relevant observable malicious activities that Incident Response Analysts can track to identify and manage threat intelligence as per their specific threat response needs.

  • These indicators are different from the standard indicators of compromise (IOCs) such as IP addresses, domain names, malicious URLs, and hashes.

  • Some examples of custom threat indicators include file names, file paths, running services, credit card numbers, IMEI numbers, registry keys, fully qualified file names (FQFN), services, criminal records, etc.

What is the need for Custom Threat Indicators?

  • During incident investigations , Incident Response Analysts come across several special indicators that they find necessary to document.

  • These indicators help analysts to interpret and handle malicious activity in their operational cyber domain.

  • For Example - If multiple endpoints display similar behavior for a service that is being executed from a specific file path, then Threat Response Analysts can leverage these custom indicators to gain more information about the threat activity.

  • Therefore, it is important for threat response platforms to be flexible to allow capturing and enrichment of these indicators.

Do Cyware’s platforms support Custom Threat Indicators?

The Cyware Fusion and Threat Response (CFTR) platform allows Incident Response Analysts to create their own custom threat indicators of compromise (IOCs) to meet the specific threat intelligence management needs of their organization.

  • Incident Response Admins : The platform allows Incident Response Admins to define custom indicators and indicator properties.
  • Incident Response Analysts : The platform allows Incident Response Analysts to capture these indicators and their attributes during the incident investigation and leverage them to connect the dots with different threats such as malware, vulnerabilities, threat actors, or past incidents.
  • SOC Managers: The capability also allows the SOC managers to gain more visibility into their organization’s threat profile by creating KPI and KRI reports for these indicators.
  • Custom Connectors : The platform allows for the creation of custom connectors via Cyware Security Orchestration Layer (CSOL) for the enrichment of these indicators from trusted sources.

An Added Advantage

The custom indicator capability allows threat response teams to mature their response operations by tracking, enriching, and connecting the dots between various threat elements and drawing enhanced contextual intelligence for enhanced threat response.

Related Blogs