Cybersecurity teams are consistently tasked to identify cybersecurity attacks, adversarial behavior, advanced persistent threats and the dreaded zero-day vulnerability. Through this endeavor, there is a common struggle for cybersecurity practitioners and operational teams to appropriately leverage indicators of compromise (IOCs) and indicators of attack (IOAs) for an effective monitoring, detection and response strategy.
Inexperienced security teams and leaders tend to establish a catch-all approach, where quantity outweighs quality to stop the next perceived intrusion attempt. Unfortunately, this strategy rarely provides an operational edge and greatly hinders operational readiness.
Obtaining a better understanding of indicators, their intent, and how to better leverage them within your environment is essential to driving good security practices and providing enablement, not hindrance, to your analysts. This article will highlight some key aspects concerning indicators of compromise, indicators of attack, and how to best leverage them together in order to support your organization.
IOCs current role and pitfalls
How could having hundreds of thousands of IOCs hinder readiness, you may ask? An analyst’s role is to sift through the noise and identify adversarial behavior, however IOCs are point-in-time artifacts. They are constantly changing and reappearing in different ways across networks and rarely aligning to the event that caused these artifacts to become indicators in the first place.
IOCs are typically provided through feeds, which lack standardization for contextual information, age of the indicator, and sometimes completely lacking source data. This makes for an unclear indication that often causes confusion and a lack of understanding of the potential threat. Unclear indications can lead to a multitude of issues, which include high volumes of false-positive alerts that drive analyst fatigue or system resource issues due to large quantities of data matching across a variety of security toolsets.
IOCs can be an amazing resource for ongoing events to provide a starting point to analysts. However, their use can be greatly enhanced through the implementation of rule sets and detections that align to indicators of attack. By leveraging more than a singular point of indication you can reduce false-positive counts and enable strong analysis through enhancement and contextualization.
To understand how to effectively leverage indicators of compromise or indicators of attack, it is best to understand the distinctions of these two main categories that are commonly referenced across the cybersecurity industry:
Indicators of Compromise (IOC) typically consist of system and network artifacts related to IP addresses, domains, URLs, hashes, e-mail addresses or file names. These indicators are point-in-time references to adversarial activity and are constantly changing. It is important to note that targeted intrusions impacting separate organizations are rarely the exact same. Focusing on key indicators, or indications observed across multiple campaigns, can help drive focus on potential adversarial activity.
Indicators of Attack (IOA) typically consists of the tactics, techniques and procedures an adversary will leverage to compromise their targets, which is ultimately defined by their believed intent. Imagine a series of steps a malicious actor MUST accomplish to reach their perceived goal. Examples of this can include code execution, persistence mechanisms, establishing command and control (C2) and defense evasion techniques. An indication of an attack provides an opportunity for defenders to identify the activity of a threat prior to a full compromise or breach.
IOA benefits: Real-time context
Where IOCs are static artifacts, IOAs are real-time detections to potentially malicious activity. An example of this in practice is through the usage of a zero-day exploit to gain access to internal systems with the goal of executing data exfiltration. A zero-day has no known indicators of
compromise since it has likely never been observed in the wild. However, through the usage of IOAs, security practitioners can look for the intent of an adversary. Analysts leveraging IOAs can see, in real-time, potentially malicious activity indicating initial access to an environment, lateral movement to a sensitive system, network connections to an unknown external system, and the exfiltration of large volumes of data outside of an organization’s perimeter.
By observing this series of events unfolding an analyst can quickly work through the kill chain to identify adversarial actions regardless of the initial point or method of access. Additionally, by looking for what an adversary will do, your defenders will have greater opportunities to detect and respond before an adversary reaches their goal. This can provide an invaluable commodity of time to responders.
IOC vs. IOA: Better together
Indicators of compromise are useful data points that can greatly benefit defenders in their initial triage of security events — especially when it is an emerging threat with little data to work with. When these indicators are paired with correlation rule sets to drive severity ratings as well as initial points of research, they can reduce the time it takes for an analyst to make that initial judgment call. This can be further refined by aligning SIEM alerting to known indicators of attack.
If an alert matches an IOA meant to detect command and control activity AND matches known indicators of compromise, then it should result in a higher severity alert to your cyber defenders. This provides both a higher fidelity alert and additional points of context to drive better analysis.
By looking at what an adversary will likely do, and comparing to what adversaries have done, cyber defenders can proactively monitor for potential security events while enriching these alerts with known adversarial data points. These efforts can also provide opportunities for additional proactive exercises like threat hunting in order to identify unknown activity, or outliers, in order to identify threats and close potential security gaps within the environment.
Indicators in practice
Both IOAs and IOCs are incredibly valuable throughout the process of detection and response. If an analyst were to observe an IOA associated to command and control (C2) infrastructure, they can begin analysis to identify any potential indicators of compromise associated with this alert. This could include IP addresses, domains, URLs or hashes. These indicators of compromise can be further refined by comparing them to open-source research to better understand the potential threat you are facing, as well as additional indicators that may match your intrusion activity.
These additional indicators can then be used to conduct sweeps throughout your environment to ensure no additional malicious activity is present. By examining these IOCs you may also be able to determine if any align to key indicators, or indicators present across multiple campaigns, and create signatures to drive further real-time detection. Once the threat is identified, it is crucial to conduct lessons learned activities to determine whether any new IOAs were identified to continue the maturement of your detection and response capabilities.
Where to start?
The most effective way to identify IOAs related to threats that are most likely to target your organization is through the implementation and usage of a threat intelligence program. An established intelligence program can help cyber defenders identify and prioritize the threats most relevant to them and drive an intelligence-led defense strategy. Intelligence developed through such a program can better inform cyber defenders on what feeds to leverage, current and emerging threats, and the tactics, techniques and procedures that they employ to reach their adversarial goals. The culmination of this information can further drive strong business decision support.
Senior Cybersecurity Consultant, IBM