What is the Open Indicators of Compromise (OpenIOC) Framework?

Table of Contents

What is the schema of OpenIOC?

Why should organizations use OpenIOC?

What are the benefits of OpenIOC?

View More guides on Cyber Threat Intelligence

What is the Open Indicators of Compromise (OpenIOC) Framework?

  • Cyber Threat Intelligence

Posted on: June 17, 2019

What is the Open Indicators of Compromise (OpenIOC) Framework?
OpenIOC is an open framework, meant for sharing threat intelligence information in a machine-readable format. It was developed by the American cybersecurity firm MANDIANT in November 2011. It is written in eXtensible Markup Language (XML) and can be easily customized for additional threat information so that incident responders can translate their knowledge into a standard format. An organization can leverage this OpenIOC format to share threat-related latest Indicators of Compromise (IoCs) with other organizations, enabling real-time protection against emerging threats.

What is the schema of OpenIOC?


The base schema of OpenIOC is a simple framework that is written in XML, which can be used to document and classify forensic artifacts of an intrusion occurring across any network or host. The framework comes with a 500 pre-defined base set of indicators, as provided by MANDIANT. These pre-defined sets of environments can be used to track down advanced threats. 

The base schema isn’t beholden to one indicator, it can be extended further to include additional indicators from multiple sources. The users of OpenIOC indicators are free to create and add their own sets of indicators and extend them as they see fit.

Why should organizations use OpenIOC?


To keep up with threat actor evolution, conventional methods of detecting security breaches are no longer adequate for an organization. Simple signatures have become very easy for a threat actor to overcome.

Sharing indicator threat information across your own sector, or even different sectors, is a crucial part of your organization's endpoint security. You need to be able to communicate how to spot emerging threats in your hosts and networks using a machine-digestible format that can bypass the human delay from intelligence sharing. OpenIOC format provides a common platform to enable communication on a known threat between security teams across sectors.

What are the benefits of OpenIOC?


By using the OpenIOC framework, the organizations will have access to the latest IOCs shared by other organizations. These IOCs can be readily leveraged by multiple threat detection tools, enabling real-time threat detection capabilities. With this, organizations can benefit from the collaborative effect of shared threat intelligence within their industry, as well as global Fortune 1000 companies. Having features like customization and extensions, the framework also offers MANDIANT’s field-tested Indicators of Compromises (IoCs), as well as the option for creating user’s own custom sets of OpenIOC indicators.

Share Blog Post

Related Guides

Everything You Need to Know About AI in Cybersecurity
Future-Proofing Security: A Guide to SOC Transformation
Explained: The Role of AI in Cyber Threat Intelligence
What is a TAXII Server? How is it Different from a TAXII Client?
Everything You Need to Know About MITRE ATT&CK Framework
What is Cyber Threat Intelligence Sharing? And Why Should You Care?
Threat Intelligence Processing: The Key to Leveraging Unstructured Data
Why is Correlation the Most Important Phase in Cyber Threat Intelligence Lifecycle?
Confidence Scoring in Threat Intelligence
How to Choose the Best Threat Intelligence Platform for Your Security Team?
How to Build Your Own Cyber Information Sharing Community?
STIX Cybersecurity: A Guide to STIX 2.1
How Can You Tell if Your Cyber Threat Intelligence Program is Working Well?
What is Threat Intelligence Analysis?
What is Threat Intelligence Normalization?
What is Threat Intel Ingestion?
How Real-Time Cyber Threat Intelligence Sharing Enables Security Collaboration
What is a Threat Intelligence Platform (TIP)?
Significance of Threat Intelligence Platform (TIP) for Growing Teams
What is the Role of Threat Intelligence Platform (TIP) in a Security Operations Center (SOC)?
What is the Hub and Spoke Information Sharing Model?
Explaining the Pyramid of Pain
What are the Different Use Cases of a TIP?
Why Do MSSPs Need Automation?
What is the Diamond Model of Intrusion Analysis?
The Evolution of Threat Intelligence
Don’t Wait! Leverage Threat Intelligence
Why do Organizations Need to Leverage Actionable Threat Intelligence?
What is Technical Threat Intelligence?
Operational Threat Intelligence: What Is It and Why Is It Important?
What is Tactical Threat Intelligence and Why is it Important?
What is the Threat Intelligence Lifecycle?
Everything You Need to Know About a Threat Intelligence Platform (TIP)
5 Steps to Effective Cyber Threat Intelligence Program
Things to Consider When Choosing the Right Threat Intelligence Platform
Open Source or Commercial Threat Intelligence Platform - Which one is better?
Strategic Threat Intelligence: Why Sharing Is Crucial?
What is Threat Intelligence Management?
Strategic Threat Intelligence vs. Tactical Intelligence
Role of SOAR and TIP in Cyber Fusion
Information Sharing in Cyber Fusion
Role of Threat Intelligence in Cyber Fusion
What is MISP
What is Signals Intelligence (SIGINT)?
What are Indicators of Compromise (IOCs)?
What is the Open Indicators of Compromise (OpenIOC) Framework?
What is the Cyber Information Sharing and Collaboration Program (CISCP)?
What is Malware Attribute Enumeration and Characterization (MAEC)?
What is CybOX? How do you use a CybOX object?
How is Surface Web Intelligence different from Dark Web Intelligence?

Related Guides

Everything You Need to Know About AI in Cybersecurity
Future-Proofing Security: A Guide to SOC Transformation
Explained: The Role of AI in Cyber Threat Intelligence
What is a TAXII Server? How is it Different from a TAXII Client?
Everything You Need to Know About MITRE ATT&CK Framework
What is Cyber Threat Intelligence Sharing? And Why Should You Care?
Threat Intelligence Processing: The Key to Leveraging Unstructured Data
Why is Correlation the Most Important Phase in Cyber Threat Intelligence Lifecycle?
Confidence Scoring in Threat Intelligence
How to Choose the Best Threat Intelligence Platform for Your Security Team?
How to Build Your Own Cyber Information Sharing Community?
STIX Cybersecurity: A Guide to STIX 2.1
How Can You Tell if Your Cyber Threat Intelligence Program is Working Well?
What is Threat Intelligence Analysis?
What is Threat Intelligence Normalization?
What is Threat Intel Ingestion?
How Real-Time Cyber Threat Intelligence Sharing Enables Security Collaboration
What is a Threat Intelligence Platform (TIP)?
Significance of Threat Intelligence Platform (TIP) for Growing Teams
What is the Role of Threat Intelligence Platform (TIP) in a Security Operations Center (SOC)?
What is the Hub and Spoke Information Sharing Model?
Explaining the Pyramid of Pain
What are the Different Use Cases of a TIP?
Why Do MSSPs Need Automation?
What is the Diamond Model of Intrusion Analysis?
The Evolution of Threat Intelligence
Don’t Wait! Leverage Threat Intelligence
Why do Organizations Need to Leverage Actionable Threat Intelligence?
What is Technical Threat Intelligence?
Operational Threat Intelligence: What Is It and Why Is It Important?
What is Tactical Threat Intelligence and Why is it Important?
What is the Threat Intelligence Lifecycle?
Everything You Need to Know About a Threat Intelligence Platform (TIP)
5 Steps to Effective Cyber Threat Intelligence Program
Things to Consider When Choosing the Right Threat Intelligence Platform
Open Source or Commercial Threat Intelligence Platform - Which one is better?
Strategic Threat Intelligence: Why Sharing Is Crucial?
What is Threat Intelligence Management?
Strategic Threat Intelligence vs. Tactical Intelligence
Role of SOAR and TIP in Cyber Fusion
Information Sharing in Cyber Fusion
Role of Threat Intelligence in Cyber Fusion
What is MISP
What is Signals Intelligence (SIGINT)?
What are Indicators of Compromise (IOCs)?
What is the Open Indicators of Compromise (OpenIOC) Framework?
What is the Cyber Information Sharing and Collaboration Program (CISCP)?
What is Malware Attribute Enumeration and Characterization (MAEC)?
What is CybOX? How do you use a CybOX object?
How is Surface Web Intelligence different from Dark Web Intelligence?

The Virtual Cyber Fusion Suite