4 reasons why behaviour-based indicators of compromise enhance security
4 reasons why behaviour-based indicators of compromise enhance security

Indicators of compromise (IOCs) are cyber-security classics. Whenever they show up, you know that trouble is likely to follow, which is why everyone uses them to identify and stop attacks. Unfortunately, not every attack announces itself in an easily identifiable way.

Like gatecrashers who change their tactics after being turned away from the party, cyber-attackers have been adapting their techniques to help them slip by defences unimpeded. To identify these more advanced cyber-attack tactics, it's time we put a modern twist on the IOC classic. It's time we added behaviour-based IOCs (BIOCs) to our cyber-security arsenal.

What's a BIOC?

As opposed to classic IOCs, which look for specific artifacts that indicate an intrusion, such as a virus signature or a known bad IP address, file name, MD5 hash, domain name, etc, BIOCs look for specific behaviours that indicate malicious activity, such as the injection of code into memory or a script (eg PowerShell) running within an application. The behaviours are well defined, but the protection is broad – you can identify and block any and all attacks, today and in the future, that exhibit this malicious activity. This gives you a detection advantage. Why? Because…

Attackers are tricky

Today's attacks are increasingly fileless, meaning they don't rely on having to write or download a file to infect the target device/system. Instead, they use the services that already exist on the device/system to perpetrate their exploit.  There are no specific strings, names, addresses or processes to look for, so IOCs are of little help. A BIOC, however, can look for services on a device/system doing something unusual. It can identify when normal, legitimate services are being used in a way that is not normal or expected. For example, you shouldn't see a document try to execute PowerShell, so when its detected, you can be fairly certain it's indicative of an attack and should be blocked.

Attacks are fleeting

Attackers are constantly evolving. BIOCs help you get the enduring coverage you need to keep up with the threat landscape and adapt to protect against threats you haven't even thought of yet. When a site gets hacked, an IOC can be created to prevent access to it to ensure it doesn't infect your environment. This IOC, however, is static and only good for a limited amount of time. It can't do anything about the next attack, or the one after that, or the one that is just slightly different from the first. BIOCs, however, can look for the malicious behaviours that are common and indicative of these types of attacks and protect you from the full range.  

It's the difference between being able to identify A SINGLE bad driver or ANY bad driver. You can look for a specific car owned by a specific driver (IOCs) or you can look for any car that is swerving dangerously, driving too fast, running red lights, etc (BIOCs). When you aren't restricted to a specific make or model, you can identify any number of bad drivers, today and in the future. The WannaCry outbreak illustrates this point.

Many companies released IOCs that were specific to the attack - actually, they typically covered a specific variant of the WannaCry attack, which meant that another IOC was needed for any deviation from that strain or it wouldn't be detected. A BIOC, however, could identify any activity that attempted to use the underlying EternalBlue exploit that was the basis for the WannaCry attack. By looking for behaviours associated with EternalBlue, which used the Windows system process lsass.exe to install an executable on the disc to allow the creation of an .exe or .dll file on the system, you could stop any of the WannaCry variants and other malware from ever installing themselves.

Time is not on your side

When it comes to cyber-security, time is of the essence. As soon as a vulnerability is found, the race is on - vendors are looking to find and issue a patch that each and every organisation needs to deploy to close the hole created by that vulnerability, while attackers are looking to develop and launch an attack that exploits that vulnerability. Losing the race has real consequences, which we saw with Equifax – their recent breach was due to an attack that exploited a known Apache vulnerability that they hadn't patched yet.

With BIOCs, when a new vulnerability is released, you can build behavioural indicators to detect and block attack attempts that exploit that vulnerability to buy you some time until you can roll out the patch. For example, the Apache vulnerability allowed commands to be executed remotely, a BIOC could have been created to prevent Apache from executing any shell commands and shut the attack down before it could even get started.

It's all about you

When someone wants to attack you, they can figure out what you have in your environment – processes, systems, OSes, security solutions, etc – model them in their environment, and create techniques that can exploit weaknesses and bypass your defences. BIOCs give you a layer of defence that attackers can't predict. Attackers have no way of knowing what BIOCs you are looking for in your environment, giving you the advantage for the first time. You can use BIOCs to create a baseline of what is and what's not supposed to happen in YOUR environment, so you can detect anything that indicates a potential threat. In essence, BIOCs give you detection tailor made for you.

Strengthening your security

For all these reasons, it's easy to see why there's interest in BIOCs. They give you the tools you need to reduce your organisation's attack surface and strengthen your security stance. You can use them to alert on and eliminate behaviours that are malicious and adapt your defences to protect your environment from new and emerging threats. This modern twist on a cyber-security classic may be on the fast track to becoming indispensable to your security and risk management efforts.

Contributed by Gil Barak, CTO & Co-Founder, Secdo

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.