Indicators of Compromise, or in short IOCs, are the meat and potatoes of a variety of threat detection tools and processes. IOCs operate on the proverbial principle of there being no smoke without fire, meaning through detection of IOCs, one can likely predict a cyber attack. This has long been the go-to approach for threat detection and also the primary way of documenting the technical knowledge of various cyber threats. However, this approach is not foolproof, just like any other security technology or framework. When it comes to analyzing the smartest threat actors in the game, IOCs may not prove to be sufficient. The reason being that adversaries learn from every attack just like the defenders do, thereby improving or changing their methods and not relying on the same approach consistently.
The rise of state-sponsored threat groups and other Advanced Persistent Threat (APT) groups in recent years has brought attention to the complexity of their cybercrime operations. One can no more assume the stereotypical image of a computer geek behind every mischief or malicious activity in cyberspace. Rather, often times, it is well-funded and organized groups that learn from each other and find new ways to conduct their activities without being detected. In this changing scenario, it is paramount for security teams to analyze adversary behavior to help shape their threat detection strategies. This also points to the need for behavior-based indicators besides conventional IOCs.
Before going any further, let us first understand what we mean by adversary behavior and how it is different from IOCs.
Behaviors vs Signatures
IOCs encapsulate the signatures of specific artifacts that indicate an attack or intrusion. This can be in the form of malware signature, known malicious IP addresses, file names, MD5 hashes, domain names, etc. On the other hand, a behavior-based indicator focuses on an activity that may point to an attack. Thus, activities like the injection of code into memory, a Powershell script running behind an application, a program scanning for critical files on the system, etc. are all examples of potentially malicious behavior.
How Behaviors Trump Indicators?
Today’s attackers are increasingly using fileless attack techniques to infiltrate their targets and execute malicious operations. They tend to exploit existing system utilities and installed applications that are whitelisted by many security solutions to execute their commands. In such attacks, there is no specific IOC, like a malware file signature, to rely upon for investigation. Security analysts need to instead analyze all the ongoing processes and spot any anomalous activity that may hint of an attack. In such advanced attacks, IOCs prove to be much less helpful.
Another aspect for security teams to worry about is the ephemeral nature of IOCs. Threat actors are constantly on their toes to evade detection from any fingerprints that they may leave behind. This leads to them frequently modifying their malware payloads, Command & Control infrastructure, and other aspects of their attacks. This means that the value of any IOCs collected from even the most reliable sources tends to be short-lived. Thus, security teams constantly need to be on the hunt for new threat intel which decreases the efficiency of their operations. As an example, the infamous WannaCry ransomware that first spread across the world in 2017 has been observed having over 12,000 variants to date. It is quite evident how complicated it can become to track and defend against such a wide variety in just a single malware strain. On the other hand, deducing and modeling adversary behavior helps develop long term defenses against even the most advanced attackers. Once again, in the case of WannaCry, it is much more efficient for security teams to address the root cause behind it which happens to be a particular exploit requiring a patch update rather than rely on short-lived IOCs to detect any infection.
Additionally, as time is of the essence, it is easier to improve cybersecurity posture by taking proactive actions based on adversary behavior rather than reacting to a particular malware outbreak or attack campaign. The behaviors involved in an attack are quite well-defined through frameworks like MITRE ATT&CK, Cyber Kill Chain, and others. By utilizing such frameworks, organizations can gain an extra edge in threat detection.
The Rise of Adversary Behavior Models
The ATT&CK framework leverages real-world threat data and reports from past incidents to codify adversary behavior into 11 high-level tactics ranging from initial access and execution to exfiltration and command & control. The ATT&CK framework helps establish an elaborate and proactive understanding of the actors, campaigns, and TTPs targeting different organizations. This improves multiple areas of security operations such as:
- Defensive Gap Assessment
- Cyber Threat Intelligence Enrichment
- Adversary Emulation
- Threat Hunting
- Behavioral Analytics Development
- Incident Response
Above all, the existence of such frameworks has also fueled the development of next-generation solutions for improved threat intelligence and incident response.
Behavior-based Threat Intel Solutions
“It is of the highest importance in the art of detection to be able to recognize, out of a number of facts, which are incidental and which vital. Otherwise, your energy and attention must be dissipated instead of being concentrated.” -- Sherlock Holmes
Security analysts regularly face the challenge of sifting through large amounts of threat information collected from multiple sources and alerts generated from internal tools. Staying true to the spirit of Sherlock Holmes, they need to focus on identifying the most relevant indicators and patterns connecting different indicators, incidents, or threats. Additionally, studying adversary behavior is a vital step for security analysts to gain a deep understanding of their threat environment. Such multifold responsibilities cannot be handled effectively by relying on manual processes, especially due to the exploding amount of threat data generated every day.
Addressing these issues, Cyware Threat Intelligence eXchange (CTIX) allows security teams to seamlessly adopt a behavior-based approach to threat detection and analysis. It integrates threat information from internal tools such as Firewall, SIEM, IPS, IDS, etc as well as external sources like Threat Intel providers, Information Sharing communities, and more. By combining and correlating threat data from various sources and adding customized contextual parameters to the mix, it determines the severity of each specific threat for the organization. This helps security teams develop a broader understanding of their threat environment and effectively detect any anomalous activity.
Equipped with the right tools and an in-depth understanding of the adversary behavior, security teams can focus their efforts on the most relevant threats and build lasting protective measures against them. Thus, the behavior-based approach to threat detection and threat analysis serves as the next generation paradigm for organizations to effectively defend against advanced threats and improve their security posture.