2nd Edition

Tracking the trends and news for IT and IT Security

Paul

IOCs vs. IOAs — How to Effectively Leverage Indicators

SI_primary_rgb.pngIOCs vs. IOAs â How to Effectively Leverage Indicators>
Security Intelligence, IBM – Shawn Hedrick
How could having hundreds of thousands of IOCs hinder readiness, you may ask. An analystâs role is to sift through the noise and identify adversarial behavior, however IOCs are point-in-time artifacts. They are constantly changing and reappearing in different ways across networks and rarely aligning to the event that caused these artifacts to become indicators in the first place.

IOCs are typically provided through feeds, which lack standardization for contextual information, age of the indicator, and sometimes completely lacking source data. This makes for an unclear indication that often causes confusion and a lack of understanding of the potential threat. Unclear indications can lead to a multitude of issues, which include high volumes of false-positive alerts that drive analyst fatigue or system resource issues due to large quantities of data matching across a variety of security toolsets.

Indicators of Compromise (IOC) typically consist of system and network artifacts related to IP addresses, domains, URLs, hashes, e-mail addresses or file names. Indicators of Attack (IOA) typically consists of the tactics, techniques and procedures an adversary will leverage to compromise their targets, which is ultimately defined by their believed intent. IOA Benefits: Real-Time Context Where IOCs are static artifacts, IOAs are real-time detections to potentially malicious activity. An IOC vs. IOA: Better Together If an alert matches an IOA meant to detect command and control activity AND matches known indicators of compromise, then it should result in a higher severity alert to your cyber defenders. This provides both a higher fidelity alert and additional points of context to drive better analysis.

Where to Start. The most effective way to identify IOAs related to threats that are most likely to target your organization is through the implementation and usage of a threat intelligence program.
Link: https://securityintelligence.com/posts/iocs-ioas-how-to-leverage-security-indicators/

Categories:

Tags: