Organizations typically get all manner of threat reports providing Indicators of Compromise (IOCs) warning them know they might be under cyber attack. But how can an organization know if their systems are properly identifying the IOCs?
That's a question that Lior Kolnik, head of security research at security firm Demisto, wants to help organizations answer. Kolnik is set to detail his research alongside a new tool at the Black Hat USA 2018 conference on Aug. 8.
Kolnik's talk is titled "Hunting Wargames with Arthur and Merlin in IOC-Land." While the names Arthur and Merlin are tied to Medieval mythology, they also have a place in computational complexity theory. Kolnik said that in computer science, an Arthur-Merlin protocol is an interactive proof system. In the system, Arthur is the verifier, or standard computer system, while Merlin is what is described as the oracle, or the prover.
With the Arthur-Merlin system that Kolnik is demonstrating, there are two modules. One of the modules plants the evidence, or IOCs, in a system. The other module then is tasked with reaching out to an enterprise's security technologies, such as enterprise detection and response (EDR) tools, to see if the planted IOCs will actually be detected.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
The whole system can be operated in an automated way, and the basic idea is to help validate the effectiveness of an enterprise's security tools to detect IOCs. The concept can applied and extended to test any EDR tool, according to Kolnik.
The initial tool release on GitHub will coincide with Kolnik's talk.
A common way for organizations to get threat intelligence is via the STIX/TAXII protocol, which isn't something that is part of the initial release of Kolnik's tool. He noted that STIX/TAXII support will be included in a future update. The first release will be able to support IOC data in a CSV spreadsheet or plain text file.
Often threat hunters will run IOCs against a security information and event management (SIEM) tool to check against collect log files. Kolnik said that his tool will have an API so it can be used to query SIEM systems.
The Arthur-Merlin tool that Kolnik has developed is freely available, and his employer, Demisto, doesn't have immediate plans to commercialize the technology.
"Demisto is in the business of automating security tasks," Demisto CEO Richi Bhargava said.
Bhargava added that the Arthur-Merlin platform could be used in conjunction with Demisto's platform, though he emphasized that it will never be the case that Demisto is required to use the tool.
"We want this to be usable by anyone for free, " Kolnik said.
Looking forward as a GitHub project, Kolnik is hoping to get interest and participation from the security community to further improve the tool.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.