Indicators of compromise can be anything from a file that doesn’t belong to a system directory, to suspect or known malicious domains and IPs, to anything that can show proof of a breached system. And by relying on known data concerning malicious actors and events, reports on emerging threats, reputational lists and threat intelligence feeds, these smoking guns also inform better tools and detection techniques that can be used in the event of future attacks.
But what happens when a zero-day threat emerges that is unknown, with no previous knowledge to draw from? What if behaviors exhibited by the threat have not been classified as malicious, and detection using IoC isn’t possible?
Don’t cure, prevent
Think of using IoC like treating a cold: you already have a runny nose, a sore throat and you can’t get out of bed. They’re all indicators of a cold — IoC! But you’re just trying to ease the symptoms, and the damage has been done. Now, you could’ve taken note when you woke up with a slightly sore throat that one morning, before all the symptoms hit you with full force. Perhaps taking some preventative measures could have saved you a lot of trouble and discomfort.
This is how watching for indicators of attack, before an event fully happens, can work for you. Put simply, it’s acting proactively.
Indicators of attack vs indicators of compromise: main differences
Indicators of compromise consider, as we saw in the introduction, reactive detection of a security breach by showing evidence of a breached system. This can be the presence of viruses and malware, anomalies with privileged user accounts, malicious IPs and other forensic evidence that indicate a high probability of an attack.
In the cyber attack life cycle, there are different steps and actions involved. Indicators of attack, or IoA reflect a series of events and actions attackers must execute in order to gain unauthorized access to a system or a network.
Proactive detection can take place during all of the steps that precede the attack — reconnaissance, weaponization and delivery — before the threat becomes a successful exploit. And when context can be gained as early as the recon phase, defenders can block attackers from moving forward. With reactive detection of IoC, the detection of intrusion is done after the attacker has already gained access to the system, in the later phases of the cyber attack life cycle.
While IoC are inherently bad as evidence of a security compromise, IoA become bad based on what they mean in the context of the situation. This means that one behaviour won’t always be an indicator of attack, and whether it is classified as one would depend on the intent of the actor behind it.
For instance, port scanning isn’t an inherently malicious activity, and can be performed by a benign scanner, but it can also be done by an attacker in the recon stage of an attack, trying to obtain as much information about your network as possible to discover any vulnerabilities. So, flagging this activity as an IoA wouldn’t really be useful. But if we add context with additional logs showing evidence of other internal hosts communicating to external hosts using atypical ports, then this can very well be an indicator of attack.
Indicators of attack detect an active attack in real time, before the final goal of the exploit, data theft, or similar operation is achieved. They cover the gaps IoC leave behind, by detecting unknown threats, and because IoA identify activity and behaviour rather than methods and tools used, malwareless attacks can also be uncovered. Once IoA are detected, they’re refined by adding contextual information from other security tools to determine whether there is indeed a potential threat.
What to look for when hunting for IoA?
Actively seeking out potentially malicious behaviour on a network and finding indicators of attack will provide for both the detection of security incidents as well as their containment as early in the attack lifecycle as possible. There are some key measures to take when hunting down IoA:
- Analyze firewall logs to determine the correct configuration, ensure that no unauthorized access is getting in, and confirm that the traffic allowed isn’t showing signs of anomalous behaviour
- Use an EDR solution to gain visibility and collect information about running processes, logins and communication channels to detect any abnormal behaviour on endpoints
- Examine web server logs, which can help you uncover users trying to access directory files without proper authorization, and monitor access to any pages used to update content
- Review authentication server logs for insight into account activity, invalid account logins, and user activity during unusual hours; all to show whether an attacker has gained access and is trying to move laterally, escalating their privileges
Popular indicators of attack
To diagnose active attacks as they take place, looking at all of the above mentioned sources can be of great help, but what exactly should you look for? What are some common indicators of attack?
- One of the more common indicators of attack, communication between internal and external hosts using unusual ports (with 80 and 443 used for external traffic usually) can indicate attackers using these ports to communicate with malware
- If your organization has internal DNS servers for domain name resolution and you find that an internal host is directly querying external DNS servers, a malware scan on that host is needed
- Network scans coming from internal hosts can indicate that an attacker has made their way into your network, and is trying to move laterally to steal information. These hosts should be quarantined to block the attacker’s advances
- A user in the network having multiple logins from different geolocations in a short period of time can be a sign that user credentials have been compromised and that attackers are trying to access the network with them
- Additionally, keep an eye out for internal hosts that communicate with known malicious destinations or foreign countries the organization doesn’t have relations with
IoC vs. IoA — which do you choose?
“The IoA” might seem like the obvious answer, but the truth is that neither is more important than the other. For successful attack discovery, threat detection and the overall security of your network, you need both indicators. Together, they provide forensic data about attacks and inform better preparedness for future attacks.
IoC would be considered the more reactive, technical and traditional indicators used for threat detection, while IoA are more focused on the intent of threat actors, and the “why?” in contextualization.
Just as with many concepts in cybersecurity, it’s never “either/or” — it’s about the marrying of all techniques and practices, to ensure all-encompassing security and an organization’s proper security posture.
While indicators of attack are more effective than indicators of compromise in a way that they are based on behaviours and contextualized information that informs a proactive defense, using both is the ideal solution.
The issue with many cybersecurity solutions is that they would only rely on IoC for investigations once the damage was already done, which while useful, doesn’t allow for real-time analysis of all behaviours taking place in a system. To truly be proactive about protecting your organization, consider focusing on adding security strategies based on using IoA in order to stop threats before they can cause any real damage.