Hash/MD5 IOC population
If I have Malware appliance that is already calculating the hash of a file, would there be a way to populate the system on a continual basis similar to a feed and set it as a blacklist, therefore alerting when a particular hash/md5 is identified?
I understand that MD5/Hash is not part of the traffic flow, but if the Malware appliance is calculating this upon file discovery, my question is can we leverage this in a way that is custom to our own environment and IOCs? Similar to way that an AV product can.
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
Okay thanks. I suppose where I'm stumped is trying to link the MD5/HASH to additional added Meta values. Perhaps this is a limitation.
Ultimately I would like to import a list similar to a feed where the MD5 could then be a pointer to additional meta keys. For example:
MD5 = 74cdsdb5a8797b159e71ba1717ff1sef
is added to the MA as being an untrusted hash. When this triggers I would like it to reference additional meta values that are associated and have been populated as a custom feed to NW. The trouble I'm seeing is that without indexing of hash/MD5 values this seems to handled differently in NW as the M5D/hash is not considered official NW meta. Am I wrong?
Meta Keys (associated IOC data)
IOC Threat Reference Number (threat.ref) = IOC-123445
IOC Threat Date (threat.date) = May 16 2018
ICO Type (ioc.type) = MD5
IOC source (ioc.src) = in-house
Add the hash list to MA, if you get a match the output will come via CEF message to a log decoder (the cef.xml is getting updated to add all three hashes that come from MA). You can index checksum if the only thing that might fill it is MA hits and then have your feed read that key for matches based on your feed as described above to write out values to your IOC keys.
Any hash that is added to MA, add to your feed and if there is a hit then a match will show up in logs with the associated IOC values.