Threat Detection: IOC vs. IOA

What is an Indicator of Compromise (IOC)?

IOCs are defined as artifacts of evidence proving some form of malicious and/or suspicious activity has occurred. In most scenarios these artifacts indicate that the computer, network and/or cloud application has been compromised.

In the cyber security industry, indicator artifact examples include static pieces of evidence, such as: Process, File Name, Hashes, Network Connection to a Command & Control Server, IP Addresses, Event Logs and Registry Key values to name several. Given that these artifacts are static and “known”, any detection is an indicator of a compromised asset.

What is an Indicator of Attack (IOA)?

IOAs are defined as the detection of the attacker’s goal (tactic) and the technical operation (technique) on how to accomplish the goal. Similar to Anti-Virus (AV) signature-based solutions, IOC-based detections systems are also static. While both have their cyber security use case in the stack, this leaves a significant threat gap.

IOC and AV approaches fall short with the inability to detect non-static intrusions and breaches. Example threats include 0-Day Exploits and Fileless Malware that continue wreaking havoc on businesses of all sizes. The 0-Day is self-explanatory, it has never been seen before, so has no static signature. Fileless Malware is not written to disk so once again, no static signature where existing components of the native operating system are used as the attack vehicle such as PowerShell and WMI. As an outcome, migrating to a combined approach to address IOCs & IOAs is required for layered prevention.

Where do IOCs & IOAs Unite?

Many security operations tend to rely on IOCs ‘or’ IOAs as the pivot point for response. For example, a successful malicious login to a small business’s Office 365 account was performed with stolen credentials, acquired from a dark web market server. This would be classified as a TTP (tactics, techniques and procedures) indicator also known as an IOA. TTPs are well documented and defined by the Mitre Att&ck framework used by threat hunters, SOCs, among other cyber operators. The scenario above provides a tactical goal of initial access and the technique is valid accounts credential theft.

What are Tactics in the ATT&CK Framework?

ATT&CK stands for adversarial tactics, techniques, and common knowledge. The tactics are a modern way of looking at cyberattacks. Rather than looking at the results of an attack, aka an indicator of compromise (IoC), it identifies tactics that indicate an attack is in progress. Tactics are the “why” of an attack technique.

The Enterprise ATT&CK matrix has 14 tactics:

  1. Reconnaissance
  2. Resource Development
  3. Initial Access
  4. Execution
  5. Persistence
  6. Privilege Escalation
  7. Defense Evasion
  8. Credential Access
  9. Discovery
  10. Lateral Movement
  11. Command & Control
  12. Collection
  13. Exfiltration
  14. Impact

What are Techniques in the ATT&CK Framework?

The second “T” in ATT&CK stands for techniques. Each tactic includes a set of techniques that have been seen used by malware and threat actors. Techniques represent the “how”—how attackers carry out a tactic in practice. For example, if the tactic is privilege escalation, the techniques will be various ways attackers carry out privilege escalation in real world attacks.

There are currently 185 techniques and 367 sub-techniques in the Enterprise ATT&CK matrix, and Mitre continuously adds more. Each technique has a four-digit code—for example, Abuse Elevation Control Mechanism is T1548.

Each technique contains specific information about how threat actors operate, such as the privileges required, the platforms on which the technology is commonly used, and how to detect commands or activities associated with the technique.

What is Common Knowledge in the ATT&CK Framework?

The “CK” at the end of ATT&CK stands for common knowledge. This is the documented use of tactics and techniques by adversaries. Essentially, common knowledge is the documentation of procedures “P”.

By combining IOC with IOA, context is added, enriching threat monitoring program for faster research, decision-making which ultimately reduces attacker dwell time (the period of time an attacker goes undetected on the network after initial access has occurred).

Conclusion

In short, while adversaries continue infiltrating targets, security operators must enhance their security stack by combining both types of indicators to better detect threats evading traditional defenses.

How Can ITM Help You?

iTM covers all aspects of Cyber Security including but not limited to Home cyber security managed solutions to automated, manage threat intelligence, forensic investigations, Mobile Device Management, Cloud security best practice & architecture, OSINT and cyber security training. Our objective is to support organisations and consumers at every step of their cyber maturity journey. Contact Us for more information.