IOC’s changing formal

In a webinar Feb  21st 2013 Mandiant had a discussion about the future of their OpenIOC Framework.

The OpenIOC is an extensible XML schema for the description of technical characteristics that identify a known threat, an attackers methodology, or other evidence of compromise.  Open IOC was created by mandiant, a Security company located in Virginia.  IOC stands for Indicators of Compromise.  The term may be used to refer to specific   artifacts left by an intrusion, or greater sets of information that allow for the detection or other activities conducted by attackers.  The term is also used as the name for a file in the OpenIOC format that contains a set of data.  The file extension for these files are .ioc. (From

The IOC has been in use without changes for the last 5 years. This is considerable long time for no changes, in an industry that changes everyday.  The OpenIOC is limited in its functionality and is due to be revamped.

They had a call for updating the format to be more flexible.  This is because the standard has several limitations.  One such limitation is There  is No “is”…  ;Their is is equal to contains.   The bottom line is it can’t breakup a string of words (example: your couldn’t find system within system32).  This limitation means that you have to create complicated IOCs.  Another example: the term “NOT” does negate, it  deselects an item from the list.

Things they want to change:

More than “is” and “contains”
– greater-than
-Matches (regEx)
-Case sensitivity

Document Indicator Terms

Define Operators
Is ==

Per Indicator Items
-Special Handling
-Priotitize an Investigation (securly)
-Mange the Intelligence
-Share what we want easier

Take aways – Needs more operators, need more documentation, needs to be less tactical, needs community input and needs a new logo.

The future of OpenIOC is looking bright as the OpenIOC team starts towards updating and building a new OpenIOC standard.