Threat Detection: IOC vs. IOA

January 15, 2020

Today we are starting an educational series on threat detection, intelligence and monitoring for Managed Service Providers (MSPs) and Security Operation Centers (SOCs). I realize that MSPs are in the transformation of enhancing their security stack also commonly referred to as layered security. With that said, where does threat monitoring play a role and where does the MSP/SOC benefit with IOAs and IOCs.

What is an Indicator of Compromise (IOC)?

IOCs are defined as artifacts of evidence proving some form of malicious and/or suspicious activity has occurred. In most scenarios these artifacts indicate that the computer, network and/or cloud application has been compromised.

In the cyber security industry, indicator artifact examples include static pieces of evidence, such as: Process, File Name, Hashes, Network Connection to a Command & Control Server, IP Addresses, Event Logs and Registry Key values to name several. Given that these artifacts are static and “known”, any detection is an indicator of a compromised asset.

What is an Indicator of Attack (IOA)?

IOAs are defined as the detection of the attacker’s goal (tactic) and the technical operation (technique) on how to accomplish the goal. Similar to Anti-Virus (AV) signature-based solutions, IOC-based detections systems are also static. While both have their cyber security use case in the stack, this leaves a significant threat gap for MSP/SOC operators.

IOC and AV approaches fall short with the inability to detect non-static intrusions and breaches. Example threats include 0-Day Exploits and Fileless Malware that continue wreaking havoc on businesses of all sizes. The 0-Day is self-explanatory, it has never been seen before, so has no static signature. Fileless Malware is not written to disk so once again, no static signature where existing components of the native operating system are used as the attack vehicle such as PowerShell and WMI. As an outcome, MSPs, MSSPs and SOCs are quickly migrating to a combined approach to address IOCs & IOAs complimenting their investment in prevention.

Where do IOCs & IOAs Unite?

Threat Indicator Radar
Combining IOC & IOA indicator types

Many MSP security operations tend to rely on IOCs ‘or’ IOAs as the pivot point for response. For example, a successful malicious login to a small business’s Office 365 account was performed with stolen credentials, acquired from a dark web market server. This would be classified as a TTP (tactics, techniques and procedures) indicator also known as an IOA. TTPs are well documented and defined by the Mitre Att&ck framework used by threat hunters, SOCs, among other cyber operators. The scenario above provides a tactical goal of initial access and the technique is valid accounts credential theft.

Now let’s expand the attack scenario above by uniting IOA with an IOC. After further intelligence was integrated into security operations, the malicious Office 365 account login originated from 182.139.x.x located in China, known for hosting malware and carrying out attacks on N. American small businesses. This would be classified as an IOC with a threat indicator type of IP Address from the radar image.

Most attacks don’t stop here as we all know. By combining IOC with IOA, we’ve added context, enriching our threat monitoring program for faster research, decision-making which ultimately reduces attacker dwell time (the period of time an attacker goes undetected on the network after initial access has occurred).

Conclusion

In short, while adversaries continue infiltrating SMBs (small-medium businesses), MSPs and SOCs can enhance their security stack by combining both types of indicators to better detect threats evading traditional defenses. Our next educational threat detection post “Attackers Playbook” covers a live attack scenario where RocketCyber’s threat team reveals a combination of IOCs and IOAs, reviewing the chronological steps carried out on several SMB intrusions and deterred the attacker before a data breach occurred.