Indicator of Compromise (IoC) vs. Indicator of Attack (IoA)
Scenario
An organization was hacked using the SQL injection and database access through its website. After penetrating the network and machine, the attacker created an account named “daemon” and then escalated the privileges to obtain more control of the network. Then the attacker injected a malware file called “hackit.exe” into the devices and established a connection to the command-and-control server to download additional malicious malware files named “malware.exe” after propagation. As a result, the malware is executed, which, in turn, runs a set of commands received from the attacker’s domain.
When the forensic investigator begins to examine the incident, the following indicators of compromise can be identified:
- The name of the new user account created by the threat actor: “daemon”
- Malware names: “hackit.exe”, “malware.exe”
- Hash values of the above executables: MD5, SHA1, SHA256
- C2C Server details: IP Address, Domain
- The attacker’s tactics, techniques, and procedures used to attack the organization.
Though the scenario mentioned above is simple, in reality, things will be more complicated.
What is an Indicator of Compromise (IoC)?
The term indicator of compromise (IoC) provides forensic evidence of potential intrusions on a host system or network. IoC is used in computer forensics to describe a signal observed on a network or operating system that indicates a potential attack or intrusion. Indicators of compromise (IoCs) refer to the data that validates a cyber threat infiltration of a computer system. Whenever there has been a breach in cybersecurity, these sources provide cybersecurity teams with vital information. These indicators of compromise (IoC) assist information security and IT professionals in detecting data breaches, malware infections, or other malicious activity. By monitoring for indicators of compromise, organizations can detect attacks and act quickly to eliminate breaches before they occur and limit damages by terminating attacks at an early stage.
After IoCs have been identified through incident response and computer forensics, they can be used for early detection of future attack attempts. The computer security incident response teams (CSIRTs) use IoCs for malware detection to enhance security and verify the effectiveness of heuristic analysis. In addition, they are used to detect and stop attacks or to limit the damage done by controlling the attacks at an early stage.
Indicator of Compromise (IoC) vs. Indicators of Attack (IoA)
A primary difference between indicators of attack and indicators of compromise is that the IoAs focus on identifying the activity associated with the attack when the attack is occurring. In contrast, IoCs focus on examining the artifacts after the attack. IoC is based on the reactive approach, indicating that the attack has already occurred. Reactive approaches usually take place in the aftermath of an attack. For example, it detects the presence of viruses, malware, exploits, signatures, or malicious IP addresses that have been left behind.
On the other hand, IoA represents a proactive approach (just like Threat Hunting) where defenders check for early warning signs indicating an attack. An information security perspective identifies warning signs as either true or false positive, code execution, Stealth, Command, control, or lateral network movement.
The difference can be explained in simple terms using an example. Reaching the crime scene following the incident or crime is a reactive approach and it is the nature of IoCs whereas getting to the potential crime scene before the incident occurs is a proactive approach and represents IoAs. The incident can be prevented in the future by the IoAs since it has not yet occurred.
IoCs provide us with information about known adversaries. In other words, we can identify the attacker with IoC. In contrast, an IoA provides the context information to determine whether the attack is suspect or benign. A benign attack has no adversarial component.
Types of IoCs and IoAs – Pyramid of Pain
David J Bianco, a security professional specializing in threat hunting and incident response, developed the Pyramid of Pain to improve the applicability of IoCs in 2013. In a Cyber Attack, the Pyramid of Pain is used to classify penetration indicator data (IoCs). The concept is a pyramid that displays the quality of the threat intelligence feeds collected on cyber-attacks, and how they can pose a serious threat to attackers.
The Pyramid of Pain represents six levels of attack indicators that are arranged in ascending order of their impact on the threat actor and the effort required by security analysts. Every pyramid level illustrates a different type of IoC you might use to detect an attacker’s activity. IoCs are classified based on the amount of pain or difficulty they cause the adversary when they are denied those IoCs.
The Pyramid of Pain enhances threat intelligence by adding more context to the indicators. Moreover, it provides a measure of the difficulty in obtaining that intelligence, as well as avoiding detection on the part of the adversary. As a whole, this concept enables security teams to detect and prevent different types of attacks.
The indicators of compromise (IoCs) are into two categories-
- Automation detection indicators
- Behavioral detection indicators
While the automation indicators include Hash values, IP addresses, and Domain names. Behavioral detection indicators involve network/host artifacts, tools, tactics, techniques, and procedures (TTPs).
A TTP of threat actors is considered to be the best and most powerful method of cyber-education and is more effective for the cyber defenders to align the defensive strategies to defend from the cyber threats. The tactic identifies an attacker’s behavior, the technique outlines the attacker’s behavior based on the tactic, and the procedure illustrates how an attacker applies the method. Attack behavior assists security teams in investigating and responding to attacks. TTPs make it difficult for attackers to meet their objectives. The IP address and domains may be altered and changed by the attacker frequently, whereas the tactics, techniques, and procedures of a threat actor cannot be changed so easily; after all, an attacker is a human being, and even if an attacker changes his TTPs frequently, that itself becomes a TTP of the attacker.
How to Identify IoCs and IoAs Inside Your Network?
Cyber security threats and ransomware attacks are increasing at a tremendous pace. It is extremely difficult for cyber security analysts and incident responders to investigate and detect cyber security threats using conventional tools and techniques. NetSecurity’s ThreatResponder, with its diverse capabilities, can help your team detect the most advanced cyber threats, including APTs, zero-day attacks, and ransomware attacks. It can also help automate incident response actions across millions of endpoints, making it easy, fast, and hassle-free.
Want to try our ThreatResponder, cutting-edge Endpoint Detection & Response (EDR) security solution in action? Click on the below button to request a free demo of our NetSecurity’s ThreatResponder platform.
Disclaimer
The page’s content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that NETSECURITY CORPORATION copyrights the contents of this page. Any violation/misuse/unauthorized use of this content “as is” or “modified” shall be considered illegal and subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).