Detecting a cyber threat requires threat intelligence, and the National Cyber Security Centre (NCSC) defines this as "evidence-based knowledge, including context, mechanisms, indicators, implications, and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard."
These indicators, commonly referred to as Indicators of Compromise (IOCs) and Indicators of Attack (IOAs), provide tangible evidence of a breach, such as malicious IP addresses, file hashes, or unusual network traffic patterns, and identify malicious intent and behaviors before a compromise occurs, such as lateral movement within a network or unauthorized privilege escalation.
Related: How to know if your organization has experienced a breach - Google Docs
What are IOCs?
An IOC is an indicator that helps identify potential intrusions or compromises within a network host. IOCs can reveal when an attack occurred, the tools used, and the identity of those responsible. Common examples of IOCs include:
- Unusual network traffic behavior
- Unexpected software installations
- User sign-ins from abnormal locations
- Large numbers of requests for the same file
- Specific file names
- File hashes
- IP addresses
What are IOAs?
According to NIST, IOAs are observable behaviors, patterns, or artifacts that suggest malicious activity may be underway. Unlike Indicators of Compromise (IOCs), which often identify evidence of a past attack, IOAs focus on detecting potential threats early by analyzing enemy actions, such as attempts to exploit vulnerabilities or unauthorized system access. Examples of IOAs include:
- Unusual behavioral patterns: An attacker might engage in activities such as scanning for vulnerabilities or attempting privilege escalation, which can be flagged as potential precursors to an attack.
- Unauthorized access attempts: IOAs may identify repeated failed login attempts or the use of compromised credentials.
- Exploit attempts: Recognizing behaviors that match known attack techniques, such as lateral movement within a network or attempts to disable security systems.
- Suspicious data transfers: Detection of anomalous data transfers, such as large file uploads to unknown servers or repeated access to sensitive files.
Difference between IOCs and IOAs
IOAs focus on identifying active events and processes in real-time, with an emphasis on understanding the attribution and intent of threat actors during an ongoing attack, IOCs are reactive indicators used after an event has occurred, providing forensic information about known enemies.
IOCs reveal critical details such as the tactics, techniques, and procedures (TTPs) used during a cyberattack, helping incident responders understand the severity of an event and where to focus mitigation efforts. IOAs enable proactive threat prevention and real-time detection, while IOCs support thorough post-incident investigation and forensic analysis.
Implementing IOCs and IOAs in cybersecurity
These cybersecurity guidelines enable organizations to adopt a flexible and proactive approach to managing and mitigating cybersecurity threats:
- Set up a monitoring system: Implement a Security Information and Event Management (SIEM) platform to collect and analyze data from multiple security sources in real time.
- Automate indicator ingestion: Use threat intelligence feeds to automate the integration of IOCs and IOAs, ensuring they stay current and relevant.
- Integrate with other security tools: Connect IOCs and IOAs with systems like intrusion detection systems (IDS), firewalls, endpoint protection, and other threat detection technologies. This integration strengthens the overall security infrastructure by enabling a coordinated response to threats across multiple layers.
- Regularly update and maintain indicators: Continuously review and refine IOCs and IOAs based on the latest threat landscape. Best practices include leveraging external threat intelligence sources, validating indicators through incident analysis, and ensuring they are aligned with evolving network environments. This proactive approach enhances the effectiveness of threat detection.
- Implement continuous feedback loops: Maintain a feedback loop by using real-time attack data and incident analysis to continuously refine and adjust the indicators for higher accuracy and relevancy.
Related: What is an IDS - Google Docs
FAQs
What is lateral movement within a network?
Lateral movement refers to the techniques cybercriminals use to navigate through a compromised network to find vulnerabilities, escalate access privileges, and reach their ultimate target. It involves moving sideways from device to device within the network, often undetected, to gain deeper access and exfiltrate data.
What are TTPs?
TTPs describe the behavior of threat actors and the structured framework they use to execute cyberattacks. Tactics are the high-level strategies, techniques are the methods used to achieve the tactics, and procedures are the specific steps taken to execute the techniques.
What is data exfiltration?
Data exfiltration refers to the unauthorized transfer or retrieval of data from a computer or network.
