Indicator of Attack vs Indicator of Compromises
Project Name: Indicator of Attack vs Indicator of Compromises (IOA vs IOC)
Description: – Cyber Threats are nothing but system to system attack that creates adversary’s efforts on the confidentiality, integrity, or availability of a digital information resident on system.
Cyber-attacks are increasing in volume with measures of sophistication, and coordination. So identifying these sophisticated cyber threats IOC and IOA help threat analyst. This blog will help all threat analyst to understand Indicator of Attack vs Indicator of Compromises
Author: Rohit D Sadgune / Amruta Sadgune
FAQ: –
- What is Alert, Vulnerability Assessment, Incident and, Threats Analysis ?
- What is IOC (Indicator of compromise) ?
- What is IOA (Indicator of Attack) ?
- What is the difference between Indicator of Attack vs Indicator of Compromises (IOA vs IOC) ?
- Checklist of IOC (Indicator of compromise)
- Checklist of IOA (Indicator of Attack)
- Need of Cyber Threat Intelligence
- What is indicator of pivot ?
Before starting discussion on much wide topic of IOC and IOA we need to understand basic terms of security.
What is a security alert
The automated inspection of correlated logs and building of alerts, to publish recipients of immediate concerns. Alerts are nothing but primary leveraged information that can be used for further analysis.
Vulnerability Assessment
Vulnerability assessment is the detailed procedure of pinpointing possible weakness in a system/server/network. The threats/risks found in the vulnerability assessment are segregated based on security level (low, medium, high) & exploit range (community or distant).
Cyber or Security Incident
A security incident is a message that there may be an ultimatum to information or computer security. Security Incident is transacted entity of adversaries. Based on the deep dive analysis of security in charge the events are true positive for specific attack it becomes incident and incidents need to be handled on priority basis before adversaries move deeper either laterally or vertically. Incidents may or may not have industry standard names associated with adversaries.
Threats Analysis
Identification of end to end journey of adversaries in given enterprise posture is nothing but Threat Analysis. In most of the circumstances Threats may have industry standard names associated with adversaries. Threat analysis is to investigate deep for small subset of events that has interrupted the integrity of enterprise posture. It does not stop here, the primary task of threat analyst is to find motive adversaries & coordinate with other IT team to isolate, bring down the adverse effects.
Indicator of Attack
Indicator of Attack is a set of data sets that gives relevant information for respective Attack. As per the experiences of threat hunting and threat intelligence professional, Indicator of Attack is a collection of different IOC ‘s to create true positive threat models. Sequence of events or exploits that an adversary must conduct in order to succeed.
Examples of IOA include / Use case of Indicators of Attack
- Advance Persistence Threats
- Remote Command Execution
- DNS Tunneling
- Fast Flux DNS
- Beaconing Attempt
- Post Scanning
- Communication to Command and Control
- Remote Code Execution
- CnC Heartbeat Detection
- Watering Hole Attack
- Data Ex-filtration
Indicator of Compromises
Indicator of compromise (IOC) — Indicators of Compromise (IOC) are chunks of evidence data, this data potentially observed in system log entries or files, that identify probable malicious activity on a system or network. In cyber security term, it is a residual data observed on a network or in an operating system. In common scenarios Indicator of compromise are botnets, virus signatures, public or private network addresses, MD5 hashes of malware files or URLs or domain names interacting to command and control servers. IOC’s are created based on multi-step process driven by analyst experience and knowledge.
Examples of IOC include / Use cases of Indicators of Compromises
- Abnormal network traffic
- Unique traffic to some domain
- Abnormal privileged user account activity
- Login deviation
- Abnormal number of read request in database
- Suspicious registry or system file changes
- Suspicious DNS requests and Web traffic showing non-human behavior
- Internal system continuously requesting for malicious domains
- Internal machine or IP communication to external domains or host on non-standard ports
- Internal host getting flagged in distinct threat Indicator (Policies)
- Land Speed violation (Account is trying to login from different location)
- Abnormal Spike in User Behavior
- Abnormal Traffic to Un-categorized Proxy Events
- Volumetric Traffic Anomaly – Network Flow
- Spike in anomalous – Connections (Internal or Externals)
- Rare behavior – non-legitimate website accessed
- Abnormal volume of packet transferred
Indicator of Attack vs Indicator of Compromises
- Indicator of Compromises are responsive measures while Indicator of Attack are proactive measures
- Indicator of Compromises can be used after incident has been occurred, while Indicator of Attack are used in the actual time during which a process or event occurs.
- Indicator of Compromises are known global adversaries, while Indicator of Attack only becomes unacceptable based contextual information
- In most of the circumstances combining multiple IOC in periodic fashion can result into IOA.
Indicator of Pivot
Indicator of Pivots points to consequential levels of characteristics that can use to determine directional movement and potential support/resistance levels of adversaries. Pivot points use the prior period’s high, low, and distinct variance behavior of system/network to estimate future support and resistance levels. Pivot Points are predictive or high-fidelity indicators that help enterprises to identify horizontal or vertical movement of threats.
The system or network from which an adversary with different attack vectors takes its reference point when moving or changing path. In general term, once the adversaries are in our system then 2 basic things are associated with it.
- Where adversary wants to go
- How it can go.
Indicator of pivots basically helps all enterprise to find all sophisticated attacks which do have any signature, reference in short ready IOC model available in market.
Examples of Indicator of Pivot include / Use cases of indicator of pivot
- Lateral Movement – Account Level
- Lateral Movement – System Access Model
- Lateral Movement – Port Access Frames
- Lateral Movement – Probable Exploited Assets
- Lateral Movement – Probable Vulnerable Assets
- Account Escalation Vertically or Horizontally
Need of Cyber Threat Intelligence
Cyber threat intelligence has proved to be beneficial in all aspects in our day to day life.
The application of a focused cyber threat intelligence not only provides an insight to cyber threats but also assist decision makers in determining business risks, incident response and post incident activities.
Please provide a real-time scenario also, what is the IOA and which IOC is used.