An overview of the feeds/Indicators of Compromise supplied by NOCACTI

What is NOCACTI

NOCACTI is a Cyber Threat Intelligence project that’s been running for several years.

The goal is to share high confidence and context rich indicators of compromise with the cyber community.

NOCACTI was originally started because I was salty. So often as a analyst you’d find Indicators of Compromise being involved in alerts with little to no context and them being nothing burgers due to low confidence! While this of course isn’t all source by any means and their are plenty of other amazing providers out there, I wanted to also try and do better which lead me to starting NOCACTI.

Before diving into the broad types of feeds published by NOCACTI, here’s a diagram from our graphic design team with over 200 years of combined experience ;^)

Adversary Infrastructure

So, Adversary Infrastructure, this was the second major feed and is the one I believe has the most detection value and comes with a very high confidence rating.

Adversary Infrastructure Indicators of Compromise are indicators that come directly from hosts hosting tools associated with ‘offensive’ cyber security tooling such as Command and Control servers or known hack-tools.

A big advantage of NOCACTI’s approach to Adversary Infrastructure is that it’s not reactive, but proactive. Rather than waiting for hits on a Honeypot, or even a live system, our approach is to actively go looking for Adversary Infrastructure - allowing us to identify systems even before they conduct a attack.

While adversaries obfuscating or hiding their infrastructure can of course avoid it being picked up, so often we find adversaries using default settings or tooling that can be discover and used for these detections!

This feed can provide some amazing value, but keep in mind the reported IPs especially can be noisy to alert on unless you look specifically for Outbound traffic which is what we recommend. Any outbound traffic to a adversary infrastructure indicator points towards a compromise host reaching out to a command and control server and we’d highly recommend digging into any involved detections to find out why the connection is occurring.

A snapshot of the Adversary Infrastructure main feed

Intrusion

Intrusion IoCs from NOCACTI cover indicators relating to a intrusion into a system. For example, a adversary connecting to a exposed MySQL instance and running a number of queries to discover data.

The type of indicator provided in a ‘Intrusion’ event is often largely dependent on the service being monitored. For example:

  • SSH and MySQL intrusions generally have IP the adversary is connecting from, along with any files dropped, and commands executed
  • FortiGate will have ‘Web’ related artifacts associated with the intrusion, such as URLs hit, User Agent and IPs of the attacker, and in many cases the Exploits used by the adversary

Commands run after a adversary connects to a Linux host over SSH

CVE-2018-13379 exploitation attempt on a FortiGate device.

With Intrusion indicators, NOCACTI seeks to always group these into specific objects, so a indicator such as a IP can always be tied back to specific commands run, service targeted, and artifacts dropped. This provides a ‘context’ rich experience when investigating indicators, as it’s much easier to see all associated events to any given identified indicator.