IoC and IoA overview
IoC or Indicator of compromise is a mechanism for detecting signature-based malware. This indicator is used for known malware and for investigating intrusions in a system. You can see this as a knowledge base for investigators.
The IoC allows a particular threat to be documented in a consistent fashion and to facilitate automated sharing of actionable threat information. Also, it can work on more advanced malware signatures, by detecting Md5, CC domains, malicious IPs, or registry keys known to be used for malware.
This is more focused on sharing intelligence between enterprises, agencies, and ethical hackers in order to combat cybercriminal actions.
It all starts with a further investigation to determine what happened and how. This report is collected is analyzed in the IoC environment and a record is created, then it can be deployed to an Intrusion Prevention System to ensure the same compromise doesn’t happen again.
This is an important thing to do in cybersecurity. While criminals constantly change and adapt malware, they tend to use the same tools and techniques in the malware, like process injection, credential dumping, token stealing, host enumeration
By documenting these steps in the IOC the success rate of detection will be significantly enhanced.
This is part of a bigger concept, the Sharing threat intelligence, which uses two standards for modeling and for exchanging threat intelligence.
Let’s start with the Stix, this is a language for modeling and representing cyber threat intelligence, and TAXII is the protocol for exchanging intelligence, basically, this tells how information is communicated. So, both set a standard for cyber-observables that can be used to build IOC expressions (including domain names, IP addresses, file extensions, and so on).
Great, at this point we are able to react and understand the consequences of an intrusion, but not from the attacker PoV, and sometimes this is not enough, this is why IoA or the Indicators of Attack comes in relevance.
The IoA is a mechanism for detecting methods and intents of the attacker, this one addresses and detects hard problems for traditional defenses like intrusions using legitimate credentials and zero-day exploits.
In a few words, the IoA addresses the attacker side of the investigation, tightly attached to the reconnaissance phase in a pen-testing.
Finding intrusions manually is a hard thing to do, this practice is also difficult to do it effectively but if the tooling is right, the automation and the analytics with AI can lead to faster intruder detection.
Happy hunting :)