Intelligence seems to be full of three-letter acronyms, including Indicators of Compromise (IoC) and Indicators of Attack (IoA). The difference between these two types of indicators is important to understand as a company embraces and matures an intelligence program. IoCs are the traditional tactical, often reactive, technical indicator commonly used for detection of threats while IoA is focused upon attribution and intent of threat actors. Another way to conceptualize this thought is to focus on WHAT (IoC) and WHY (IoA) of threat contextualization.
Indicators of Compromise (IoC)
Common IoCs are all too familiar in a whack-a-mole world of threats today and include things like a domain or IP linked to a phishing site, a cryptographic checksum value for malware delivered via email, or moniker information linked to a defacement or ransomware note. In many ways, IoCs are a tactical component of reacting to a threat including but not limited to:
- Suspect or known hostile domain or IP
- Suspect or known hostile file cryptographic checksum value (e.g., MD5, SHA256)
- Signature to detect suspect or known hostile data, such as antivirus and IDS signatures.
- Data related to potential exploitation of a vulnerability exploit
- Tools Tactics, and Procedures (TTPs) associated with suspect or known hostile events or data, such as an unauthorized instance of Mimikatz on an endpoint
IoCs are largely reactive, after exposure to a threat event or an actual incident. They do not commonly include earlier stages of an attack, such as reconnaissance against a target. In most cases, they rely heavily upon known historical hostile data to associate maliciousness by reputation or emerging reports in the wild. For example, if a domain is suspect and queried across multiple open source intelligence sources for possible maliciousness and is found to have little or no reputational data, that is very different from one that lights up like a Christmas tree with reports of maliciousness over the past 72 hours.
In some cases, heuristics or Artificial Intelligence (AI) touting solutions can detect new unknown threats that perform similar behavior or have similar structure and identifiable features to that of former/known historical attacks, but this is rarer than many would lead you to believe.
Indicators of Attack (IoA)
IoAs focus more on the WHY and intent of an actor. In many ways, it is a more strategic view of the TTPs of a threat actor or group. When positioned properly within a more mature intelligence program, IoAs can actually identify proactive identification and defensive strategies against new unknown threats. IoAs include but are not limited to these types of data:
- Real-time behavior, including but not limited to Endpoint Behavioral Analytics (EBA)
- Code execution meta-data, Dynamic Link Libraries (DLLs) called, sequence of events, actions taken and so forth
- User behavior in relationship to the digital threat
- TTPs linked to hostile data, such as malware, used in an attack
- Persistent and stealth components used in an attack
Two key elements, in the mind of the author, help to differentiate the context of IoA from that of IoCs:
- Strategic, proactive focus and maturation over time and
- Mature contextualization of suspected or known threat data.
IoCs and IoA in the Real World
Many intelligence programs that are operational in 2019 focus on IoCs as the pivot point of actionability. For example, a phishing email campaign may be detected resulting in domains, IPs, e-mail addresses, and similar data all being aggregated for research and response. These IoCs can be matured further by performing global public and private reputational queries from trusted and untrusted sources. More advanced solutions may even perform content inspection and drive-by evaluations of potential remote, hostile websites and similar data. All of this data, through the process of intelligence, is then reactively matured leading to additional IoCs to then populate in threat identification tools such as anti-virus, IDS/IPS, mail security solutions and so on. The vast majority of all these actions are reactive and focused upon IoCs to detect a threat.
IoAs focus more upon the intent of an actor and how they perform attacks rather than that of IoCs. It is a strategic long-game function rather than the short term reactive IoC function of an intel program. IoA work builds out an entire context of a campaign and actor activities to influence focus and drive towards defensive measures to lower risk.
The author of this article supported an IoA initiative for a government agency over ten years ago, where new zero-days were initiated against the target every day or two. Being zero-days, these threats were undetected and often resulted in an incident or compromise. IoCs were naturally generated for each attack, but because of how the attacks launched, this was not good enough to stop attacks nor identify ones in the future. IoA research and response resulted in an identification of the TTPs of the targeted attacks and thus defensive measures that could potentially lower risk. Over a multi-month period, and dozens of man hours with deep technical work, a solution was identified and implemented that identified and blocked 100% of new unknown threats for the campaign going forward. This was accomplished with a very clear, integrated IoA defensive strategy towards lowering risk. It’s not often that you can have such phenomenal success, due to the complex nature of technology, people, and attack TTPs, but lowering risk is achievable when focusing upon IoA towards defensive actionability.
Concluding Remarks
Sometimes IoAs are touted as bringing faster, earlier detection, improved accuracy, and ability to rapidly contextualize threats when detected within an environment. While this is true and very possible, it is rare to see in the real world due to the difficulty of the challenge for intelligence integration and that of governance and maturity within a larger organization.
Adding a layer of IoA intelligence on top of a security program requires a high level of commitment to be successful. Competing priorities in organizations often drive attention into other areas. The advent of big data analytics, telemetry, visibility, and automation may help alleviate the quest for rapid IoC integration by allowing some organizations start concentrating on more strategic IoA.
Ken Dunham is senior director, technical cyber threat intelligence at Optiv Security. Read more Optiv blogs here.