A few days ago, I wrote a diary on the SANS ISC website about automating the search for IOC’s (“Indicator of Compromise“). The use of tools to collect such information (IP addresses, domains, hashes, …)Â is very useful to build a list ofÂ interesting IOC’s … or not!Â Today, I wrote another diary about the recent threat that Apple faced with hundreds of malicious apps accepted on the AppStore (XCodeGhost).
A few hours later, a colleague at SANS ISC reportedÂ this:
My diary contained a list of suspicious IP addresses. As you can see, the contentÂ was probably crawled by a bot and the useful data extracted. But my signature was also scanned and domain names were extracted (rootshell.be & truesec.be). Trust me, my domain names have no relation at all with XCodeGhost! I don’t want to blame the company behind this, I’m sure that plenty of other crawlers are doing the same job. But, just be warned: automation is not always accurate. Worse, some organizations can collect those IOC’s and implement blocking rules in firewalls, proxies based on them. It can be a disaster if sensitive domains become automagically blacklisted! Think about this…
[Updated at 22:24 CET]
After this blog post was published and a few messages exchanged viaÂ Twitter, I was in contact with somebody working for the company which is offering the service mentioned above. He clarified the situation, thanks to him! In a few bullet points:
- The system does not work automatically and the content here above was created by a user.
- The system is based on a toll where people can extract IOC’s from public sources. People using this tool must have some understandings of what they are doing. If the system is able to remote some false positives, it’s not always 100% accurate.
- You need to “subscribe” to a specific content or account feeding the system with IOC’s to make them available through the available API.
The conclusion to the discussion was that operating an open platform always introduce risks to be populatedÂ with wrong content and that controls must be implemented to reduce the risk of false positives.