AnsweredAssumed Answered

Hash/MD5 IOC population

Question asked by Jay Watson on May 16, 2018
Latest reply on May 23, 2018 by Jay Watson

Like • Show 0 Likes0
Comment • 6

If I have Malware appliance that is already calculating the hash of a file, would there be a way to populate the system on a continual basis similar to a feed and set it as a blacklist, therefore alerting when a particular hash/md5 is identified?

I understand that MD5/Hash is not part of the traffic flow, but if the Malware appliance is calculating this upon file discovery, my question is can we leverage this in a way that is custom to our own environment and IOCs? Similar to way that an AV product can.

No one else has this question

Outcomes

6 Replies

Eric Partington May 16, 2018 2:20 PM
Mark Correct
Correct Answer
You want to import hashes to the MA appliance and flag on hash match? Or you want to take the hash of files that end up in MA and use that somewhere else?
Like • Show 0 Likes0
Actions
- Jay Watson @ Eric Partington on May 16, 2018 2:23 PM
  Mark Correct
  Correct Answer
  Hi Eric
  
  Thanks for replying. I would like to import hashes to the MA and flag on any matches if possible.
  Like • Show 0 Likes0
  Actions
Eric Partington May 16, 2018 2:32 PM
Mark Correct
Correct Answer
https://community.rsa.com/docs/DOC-86723

page 41 and 42
Like • Show 0 Likes0
Actions
- Jay Watson @ Eric Partington on May 16, 2018 2:46 PM
  Mark Correct
  Correct Answer
  Okay thanks. I suppose where I'm stumped is trying to link the MD5/HASH to additional added Meta values. Perhaps this is a limitation.
  
  Ultimately I would like to import a list similar to a feed where the MD5 could then be a pointer to additional meta keys. For example:
  
  MD5 = 74cdsdb5a8797b159e71ba1717ff1sef
  
  is added to the MA as being an untrusted hash. When this triggers I would like it to reference additional meta values that are associated and have been populated as a custom feed to NW. The trouble I'm seeing is that without indexing of hash/MD5 values this seems to handled differently in NW as the M5D/hash is not considered official NW meta. Am I wrong?
  
  Meta Keys (associated IOC data)
  IOC Threat Reference Number (threat.ref) = IOC-123445
  IOC Threat Date (threat.date) = May 16 2018
  ICO Type (ioc.type) = MD5
  IOC source (ioc.src) = in-house
  Like • Show 0 Likes0
  Actions
  - Eric Partington @ Jay Watson on May 16, 2018 3:31 PM
    Mark Correct
    Correct Answer
    Add the hash list to MA, if you get a match the output will come via CEF message to a log decoder (the cef.xml is getting updated to add all three hashes that come from MA). You can index checksum if the only thing that might fill it is MA hits and then have your feed read that key for matches based on your feed as described above to write out values to your IOC keys.
    
    Any hash that is added to MA, add to your feed and if there is a hit then a match will show up in logs with the associated IOC values.
    Like • Show 0 Likes0
    Actions
    - Jay Watson @ Eric Partington on May 23, 2018 6:56 AM
      Mark Correct
      Correct Answer
      Unfortunately I do not have a log decoder or license. Appreciate the help nonetheless.
      Like • Show 0 Likes0
      Actions

Hash/MD5 IOC population

Outcomes

Related Content

Recommended Content