View More guides on Cyber Threat Intelligence
What is Open Indicators of Compromise (OpenIOC) Framework?
Posted on: June 17, 2019
OpenIOC is an open framework, meant for sharing threat intelligence information in a machine-readable format. It was developed by the American cybersecurity firm MANDIANT in November 2011. It is written in eXtensible Markup Language (XML) and can be easily customized for additional intelligence so that incident responders can translate their knowledge into a standard format. Organizations can leverage this format to share threat-related latest Indicators of Compromise (IoCs) with other organizations, enabling real-time protection against the latest threats.
What is the schema of OpenIOC?
The base schema of OpenIOC is a simple framework that is written in XML, which can be used to document and classify forensic artifacts of an intrusion occurring across any network or host. The framework comes with a 500 pre-defined base set of indicators, as provided by MANDIANT. These pre-defined sets of environments can be used to track down advanced threats. The base schema can be extended further to include additional indicators from multiple sources. The users of OpenIOC are free to create and add their own sets of indicators and extend it as they see fit.
Why should organizations use OpenIOC?
Conventional methods of detecting security breaches are no longer adequate, as simple signatures have become very easy for an intruder to overcome. Various organizations across same or even different sectors need to be able to communicate on how to spot intruders in their hosts and networks using a machine digestible format that can get rid of a human delay from intelligence sharing. OpenIOC provides a common platform to enable this communication.
Why are the benefits of OpenIOC?
By using the OpenIOC framework, the organizations will have access to the latest IOCs shared by other organizations. These IOCs can be readily leveraged by multiple threat detection tools, enabling real-time threat detection capabilities. With this, organizations can benefit from the collaborative effect of shared threat intelligence within their industry, as well as global Fortune 1000 companies. Having features like customization and extensions, the framework also offers MANDIANT’s field-tested Indicators of Compromises (IoCs), as well as the option for creating user’s own custom sets of indicators.