First-referenced publicly in Incident Response & Computer Forensics (McGraw-Hill, 2003), co-authored by MANDIANT Chief Executive Officer Kevin Mandia, the term Indicator of Compromise (IOC) has been advanced by MANDIANT into a format that standardizes how computer security professionals define and search for characteristics of advanced attacks.
The public release of both IOC Finder and www.openioc.org represent a new chapter for the OpenIOC standard, which was originally designed to enable MANDIANT’s products to codify intelligence in order to rapidly search for potential security breaches. Now, in response to requests from across the user community, MANDIANT has standardized and open sourced the OpenIOC schema and is releasing tools and utilities to allow security teams to describe the technical characteristics that identify a known threat, an attacker’s methodology, or other evidence of a compromise and share it at machine speed. Released as open source under the Apache2 license, MANDIANT maintains the OpenIOC base schema of more than 500 indicator definitions, which it has developed over the course of detecting and responding to hundreds of computer security breaches.
“In the threat landscape that confronts us today defenders must succeed one hundred percent of the time while the attackers only need to get through once to be successful,” said MANDIANT Chief Technology Officer Dave Merkel. “By making OpenIOC public and customizable, we are making it possible to automate the intelligence sharing process so incident responders can more rapidly detect, respond and contain targeted attacks.”
With today’s announcement the following tools and resources are now available:
OpenIOC Standard: An open format for recording, defining, and sharing threat information in a machine digestible format. OpenIOC can be easily modified as additional intelligence is gathered so that incident responders can translate their knowledge into a format that can be used by various technologies to sweep an enterprise for signs that it has been compromised.
MANDIANT IOC EditorTM: A free tool that allows for the easy creation of IOCs using a graphical interface rather than having to edit raw XML. IOCs created with IOC Editor can then be shared with other responders inside and outside the organization.
MANDIANT IOC FinderTM: A free tool that can acquire data from a single host and check the IOC against the collected data to see if the host matches conditions in the IOC. Once results are verified, responders can refine the IOC or use it to search other endpoints.
OpenIOC Web Site: The newly launched www.openioc.org web portal serves as a central source of information for sharing information and promoting adoption of the OpenIOC standard.
Additional information on the OpenIOC standard can be found at www.openioc.org and in a blog post published by MANDIANT.
MANDIANT is the leader in advanced threat detection and response solutions. Headquartered in Alexandria, Virginia, with offices in New York, Los Angeles, San Francisco and Reston, Virginia, MANDIANT provides products, professional services and education to Fortune 500 companies, financial institutions, government agencies, domestic and foreign police departments and the world’s leading law firms. The authors of 11 books and quoted frequently by leading media organizations, MANDIANT security consultants and engineers hold top government security clearances and certifications and advanced degrees from some of the most prestigious computer science universities. To learn more about MANDIANT visit www.mandiant.com, read the company blog, M-Unition, follow on Twitter @MANDIANT or Facebook at