“Know your enemy and know yourself and you can fight a hundred battles without disaster.” - Sun Tzu, The Art of War
In the event of a cyberattack, security teams from the affected organizations serve as the prime responders who execute their incident response procedures to investigate, analyze, and mitigate the incident. In this process, the security teams rely on what are called - Indicators of Compromise (IOCs) - related to the cyberattack. In simple terms, these so-called IOCs may serve the same purpose that a broken window pane and fingerprints would serve for the police investigating a burglary. Whether its hashes of malware files, malicious URLs, domain names, or other data from the present or previous cybercrimes, they all serve as small pieces of a larger jigsaw puzzle for the investigators trying to decipher a cyberattack. Apart from this, in their daily operations, security teams also use IOCs from known threat actors or attack campaigns to detect and block them through critical security controls such as firewall, SIEM, IDS, and IPS, among others.
However, the most advanced adversaries neither leave repeated traces that can help identify them nor rely on a single tool or exploit to execute their attacks. Hence, it is important for security teams to be able to detect, identify, and respond to threat actors based on their behaviors which are independent of the tools they use or the IOCs from previous incidents.
Modus Operandi of Threat Actors
Though traditional threat intel platforms (TIP) provide threat information from many sources, the enrichment and analysis of the information are not sufficiently geared towards analyzing the adversary behavior. It rather focuses on the low-level indicators that are useful against more rudimentary attacks.
To understand the behavior of threat actors, we need to breakdown the cyber attack lifecycle and analyze each stage of the attack. MITRE’s ATT&CK framework provides a state-of-the-art approach for modeling and analyzing cyberattacks by enumerating threat actor tactics, techniques, and procedures (TTPs) into a matrix. It provides a comprehensive knowledge base for security teams to study the movements of threat actors across their network. By applying the ATT&CK framework to threat intelligence operations, the Cyware Threat Intelligence eXchange (CTIX)
platform provides rich insights into the TTPs employed by threat actors at every step of the way.
Furthermore, CTIX also provides a mapping between the various attack techniques and threat actors to clearly differentiate the behaviors of different groups. With this knowledge at hand, security analysts can investigate the most relevant threats for the organization and help detect advanced threat actors in their tracks.
Why IOCs may not be enough?
To further elucidate the need for focusing on Indicators of Behavior, let us take a brief look at some of the limitations of solely relying on IOCs for threat detection.
- Signal vs Noise - Though there are numerous providers of threat information, the IOCs obtained from them may not provide the most relevant insights for the unique threat environment of every organization. The large quantity of data collected from various internal or external sources requires rigorous filtering to get rid of false alarms and detect the relevant threat among all the noise. Moreover, attackers often themselves inject noise into the IOC data to dilute it further. This inevitably leads to wastage of resources and analyst fatigue, thereby decreasing the efficacy of the security team as a whole.
- Shapeshifting threats - Advanced attackers employ a wide variety of obfuscation and evasion techniques to dynamically evolve and hide their arsenal, thereby not leaving any traces that can be mapped to any of their older attacks. This means that even the most accurate and relevant IOCs can become useless once attackers make slight changes to their malware or their attack infrastructure.
- Fileless malware - With the rise of sophisticated attack techniques such as fileless malware, attackers don’t rely on external code to perform any malicious actions. Rather, the entire attack is executed using existing software on the target system such as Powershell, Office Scripting, or WMI. This means that it is much harder to detect them without any unique signature left behind.
Gaining an edge with Behavior-based Indicators
Though IOCs can be used to block many conventional attacks, an over-reliance on it only provides a false sense of security against more sophisticated threat actors. If scanning for known IOCs does not give any results, it must not be taken as a sign of security against those threats. Instead, security teams must focus on investigating the behavior of adversaries to be able to detect them among other legitimate users on the network and to take quick incident response actions.
The efficacy of an incident response plan against sophisticated threat actors is affected by the speed and accuracy of the security team. To avoid losing critical time in such a scenario, it is important to get rid of manual and cumbersome processes in threat response. The Cyware Fusion and Threat Response (CFTR)
platform addresses this by not only providing advanced orchestration and automation capabilities but also giving an eagle-eye view of the complete threat environment mapped according to the TTPs used by threat actors.
Instead of simply relying on IOCs to detect threats, security teams can leverage CFTR to automatically detect anomalous behaviors and trigger actions within their network to stop an attack in its early stages. By collating, enriching, and analyzing threat intelligence from various sources, security teams using CFTR gain an edge over the attackers.
The bottom Line
In the ever-changing landscape of cyber threats, traditional approaches to defending against advanced threat actors will provide a false assurance and inevitably fall short when responding to sophisticated attacks. Therefore, it is crucial for organizations to develop a strong security posture by focusing on the behavioral indicators that can help neutralize threats at an early stage. With Cyware’s next-gen solutions, organizations can adapt, evolve and stay secured from all such threats.