MANDIANT has released its OpenIOC threat intelligence standard and a list of over 500 indicator terms to the public. In conjunction with the new standard, MANDIANT also announced the general availability of a new free tool, MANDIANT IOC Finder, and the launch of a new portal, www.openioc.org, to help fill a critical industry need for incident responders to share advanced threat intelligence in a machine-readable format.

First-referenced publicly in Incident Response & Computer Forensics (McGraw-Hill, 2003), co-authored by MANDIANT Chief Executive Officer Kevin Mandia, the term Indicator of Compromise (IOC) has been advanced by MANDIANT into a format that standardizes how computer security professionals define and search for characteristics of advanced attacks.

The public release of both IOC Finder and www.openioc.org represent a new chapter for the OpenIOC standard, which was originally designed to enable MANDIANT's products to codify intelligence in order to rapidly search for potential security breaches. Now, in response to requests from across the user community, MANDIANT has standardized and open sourced the OpenIOC schema and is releasing tools and utilities to allow security teams to describe the technical characteristics that identify a known threat, an attacker's methodology, or other evidence of a compromise and share it at machine speed. Released as open source under the Apache2 license, MANDIANT maintains the OpenIOC base schema of more than 500 indicator definitions, which it has developed over the course of detecting and responding to hundreds of computer security breaches.

"In the threat landscape that confronts us today defenders must succeed one hundred percent of the time while the attackers only need to get through once to be successful," said MANDIANT Chief Technology Officer Dave Merkel. "By making OpenIOC public and customizable, we are making it possible to automate the intelligence sharing process so incident responders can more rapidly detect, respond, and contain targeted attacks."

With this announcement the following tools and resources are now available:

OpenIOC Standard: An open format for recording, defining, and sharing threat information in a machine-digestible format. OpenIOC can be easily modified as additional intelligence is gathered so that incident responders can translate their knowledge into a format that can be used by various technologies to sweep an enterprise for signs that it has been compromised.

MANDIANT IOC Editor: A free tool that allows for the easy creation of IOCs using a graphical interface rather than having to edit raw XML. IOCs created with IOC Editor can then be shared with other responders inside and outside the organization.

MANDIANT IOC Finder: A free tool that can acquire data from a single host and check the IOC against the collected data to see if the host matches conditions in the IOC. Once results are verified, responders can refine the IOC or use it to search other endpoints.

OpenIOC Web Site: The newly launched www.openioc.org Web portal serves as a central source of information for sharing information and promoting adoption of the OpenIOC standard.

For more information, visit www.openioc.org.