The Verizon Risk Team published a blog post earlier this week discussing a tool they developed called IOCExtractor. The product helps automate the time-consuming and error prone process of removing indicators of compromise (IOCs) from shared documents or other files into which they’ve been implanted. The extractor essentially uses a Python script to scan documents for items of security interest for an analyst who needs to understand what security threats may be present. These items could be IP addresses, filenames, or other data elements that have been seen in previous attacks.
With the large number of data sources and the varying delivery formats for this information, a free tool such as this can be helpful in minimizing human error while getting the useful data into a format your security tools can understand.
If you have Python skills or just an inclination to help because you are on the front lines, consider heading over to the GitHub repository to participate in the ongoing development of this open source tool.
Thanks for the write-up! If anyone’s interested in a longer description, we have one on the Verizon Business Security Blog: http://securityblog.verizonbusiness.com/2012/11/06/freeing-tactical-intelligence-from-pdfs-with-iocextractor/