An Indicator of Compromise is typically observed after an initial attack or compromise, whereas Indicators of attack (IOAs) are events that may reveal an active attack before IOCs become visible.
2017 was an eventful year in many ways, and that certainly holds as true of information security. Ransomware has advanced and, while the attacks thus far have been relatively limited in scope, it is widely accepted that sophisticated attackers are capable of taking out infrastructure across the globe, weaponising known vulnerabilities such as EternalBlue and crippling businesses for months. Victims of 2017's attacks struggled to quickly respond to or remediate these intrusions to limit damage to their organisations, but also to ensure the continued effectiveness of SOCs struggling with high volumes of security alerts and limited knowledge about attackers' infrastructure. Predictably, this trend has continued into 2018 and organisations continue to be bogged down in reactive forensics work and often overlook the value of crucial information. This leads to organisations missing some of the most critical insights their alerts and indicators can provide to shift to a proactive posture.
A critical part of arming against increasingly aggressive threat actors is to develop competencies around producing internal threat intelligence in a strategic way during investigations. Doing this requires in-depth analysis of threat data, including indicators of compromise and of attack, to gain deeper knowledge about the types of threats attempting to penetrate an organisation. Indicators are made up of both threat data and threat intelligence, and investigators use these types of information to identify malicious actors and their activities. While threat data includes single pieces of isolated information with no context applied, threat intelligence is the contextualisation of that information. Analysis is done on the threat data to determine if it is important to the security needs of a specific organisation.
Knowing your Indicators of Compromise (IOCs) from your Indicators of Attack (IOAs)
Several data elements can make up an Indicator of Compromise which is typically observed after an initial attack or compromise. IOCs often fall into one of four categories:
- Command and control (C2) domains observed in traffic flows or DNS requests.
- C2 IP addresses.
- File attributes, such as filenames, file languages and vulnerable file types that raise red flags.
- File hashes known or suspected to correspond to malware.
IOCs can originate from several sources, including commercial feeds, blogs, reports and whitepapers. Although IOCs do provide significant value, they have their limitations. IOCs must be a known artifact, and not always timely. IOCs may not detect malware in volatile memory or malware-free intrusions and threats from 0-days. This is where Indicators of attack (IOAs) become incredibly important, as they overcome these limitations.
IOAs are events that may reveal an active attack before IOCs become visible. These indicators focus on detecting the intent of a particular attacker or threat group. IOAs are comprised of three broad classifications:
- Unknown attributes such as a zero-day, or malware that is in memory.
- IOAs derived from IOC analysis that enables threat hunting on specific domains or other attributes.
- Contextual information about whether an attack is valid, where it is coming from or how severe it may be.
IOAs can originate from internal data sources, including network/perimeter security rule logs, AV logs, endpoint security logs, and DNS resolver logs.
Human analysis is where the real value of IOC and IOA data is realised. Properly processing an IOC, and converting that data into threat intelligence that identifies malicious behaviour, requires a roadmap of steps to take:
1. Search host and network environment for indicators
2. Investigate compromised systems
3. Conduct further analysis
4. Examine other indicators
5. Rinse and repeat
IOA analysis enables early detection, faster response times, the ability to predict lateral movements and more accurate network rules for defensive security, ultimately reducing dwell time. When analysing IOAs, investigators are looking for red flags and performing analysis on them to find suspicious behaviour, early attack stages, signs the environment is being profiled and open services being prodded. Analysts can find this data by evaluating some of the following:
User, application, database and security application activity.
Vulnerability information pertinent to internal systems and external-facing services.
Making the most of indicators
In the context of an investigation, we can note IOCs as historical, and known bad, and IOAs as proactive, only considered “bad” based on the context of the environment and additional data. IOCs are typically pulled from actual compromises and used to reactively identify malicious behaviour and pivot on historical context to improve future security. Because IOAs provide investigators with insights into an attacker's behaviours, persistence and stealth mechanisms in real time, they can help stop threat actors in their tracks.
A key objective of building competencies in leveraging indicators is to then automate much of the analysis so that it can lead to intelligent, high-confidence alerts that signal the security team to take action. When we understand the difference between IOCs, which are mainly seen after the fact, and IOAs, which are more proactive, we can begin to realise what the indicators are, how they can help us and how to use them across our environments.
Contributed by Tim Helming, Director of Product Management at DomainTools
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.
Tim Helming, Director of Product Management at DomainTools