Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 400 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
IoC and IoA: Indicators of Intelligence
Intelligence seems to be full of three-letter acronyms, including Indicators of Compromise (IoC) and Indicators of Attack (IoA). The difference between these two types of indicators is important to understand as a company embraces and matures an intelligence program. IoCs are the traditional tactical, often reactive, technical indicator commonly used for detection of threats while IoA is focused upon attribution and intent of threat actors. Another way to conceptualize this thought is to focus on WHAT (IoC) and WHY (IoA) of threat contextualization.
Indicators of Compromise (IoC)
Common IoCs are all too familiar in a whack-a-mole world of threats today and include things like a domain or IP linked to a phishing site, a cryptographic checksum value for malware delivered via email, or moniker information linked to a defacement or ransomware note. In many ways, IoCs are a tactical component of reacting to a threat including but not limited to:
IoCs are largely reactive, after exposure to a threat event or an actual incident. They do not commonly include earlier stages of an attack, such as reconnaissance against a target. In most cases, they rely heavily upon known historical hostile data to associate maliciousness by reputation or emerging reports in the wild. For example, if a domain is suspect and queried across multiple open source intelligence sources for possible maliciousness and is found to have little or no reputational data, that is very different from one that lights up like a Christmas tree with reports of maliciousness over the past 72 hours.
In some cases, heuristics or Artificial Intelligence (AI) touting solutions can detect new unknown threats that perform similar behavior or have similar structure and identifiable features to that of former/known historical attacks, but this is rarer than many would lead you to believe.
Indicators of Attack (IoA)
IoAs focus more on the WHY and intent of an actor. In many ways, it is a more strategic view of the TTPs of a threat actor or group. When positioned properly within a more mature intelligence program, IoAs can actually identify proactive identification and defensive strategies against new unknown threats. IoAs include but are not limited to these types of data:
Two key elements, in the mind of the author, help to differentiate the context of IoA from that of IoCs:
IoCs and IoA in the Real World
Many intelligence programs that are operational in 2019 focus on IoCs as the pivot point of actionability. For example, a phishing email campaign may be detected resulting in domains, IPs, e-mail addresses, and similar data all being aggregated for research and response. These IoCs can be matured further by performing global public and private reputational queries from trusted and untrusted sources. More advanced solutions may even perform content inspection and drive-by evaluations of potential remote, hostile websites and similar data. All of this data, through the process of intelligence, is then reactively matured leading to additional IoCs to then populate in threat identification tools such as anti-virus, IDS/IPS, mail security solutions and so on. The vast majority of all these actions are reactive and focused upon IoCs to detect a threat.
IoAs focus more upon the intent of an actor and how they perform attacks rather than that of IoCs. It is a strategic long-game function rather than the short term reactive IoC function of an intel program. IoA work builds out an entire context of a campaign and actor activities to influence focus and drive towards defensive measures to lower risk.
The author of this article supported an IoA initiative for a government agency over ten years ago, where new zero-days were initiated against the target every day or two. Being zero-days, these threats were undetected and often resulted in an incident or compromise. IoCs were naturally generated for each attack, but because of how the attacks launched, this was not good enough to stop attacks nor identify ones in the future. IoA research and response resulted in an identification of the TTPs of the targeted attacks and thus defensive measures that could potentially lower risk. Over a multi-month period, and dozens of man hours with deep technical work, a solution was identified and implemented that identified and blocked 100% of new unknown threats for the campaign going forward. This was accomplished with a very clear, integrated IoA defensive strategy towards lowering risk. It’s not often that you can have such phenomenal success, due to the complex nature of technology, people, and attack TTPs, but lowering risk is achievable when focusing upon IoA towards defensive actionability.
Sometimes IoAs are touted as bringing faster, earlier detection, improved accuracy, and ability to rapidly contextualize threats when detected within an environment. While this is true and very possible, it is rare to see in the real world due to the difficulty of the challenge for intelligence integration and that of governance and maturity within a larger organization.
Adding a layer of IoA intelligence on top of a security program requires a high level of commitment to be successful. Competing priorities in organizations often drive attention into other areas. The advent of big data analytics, telemetry, visibility, and automation may help alleviate the quest for rapid IoC integration by allowing some organizations start concentrating on more strategic IoA.
Let us know what you need, and we will have an Optiv professional contact you shortly.