Predicting cyber-attacks has long been an elusive goal in the cyber-security industry. Methods such as Lockheed Martin’s Cyber Kill Chain evangelized the idea that staying one step ahead of your adversary is the way to defeat advanced, persistent threats. Key components to staying one step ahead include Indicators of Compromise (IOC) and Indicators of Attack (IOA), which are both valid methods that use the lessons learned from past encounters to protect against future ones.However, these indicators are not being fully utilized, which reduces their effectiveness against new attack methods. There is a better way to predict and prevent attacks. But before we reveal the “big surprise,” let’s take a dive into the current state of IOCs and IOAs …
Indicators of Compromise (IOCs)
IOCs are defined as “pieces of forensic data, such as data found in system log entries or files, that identify potentially malicious activity on a system or network.” Typical IOCs are virus signatures and IP addresses, MD5 hashes of malware files, or URLs or domain names of botnet command-and-control servers. IOCs, by nature, are reactive. We can think of them as still pictures, capturing specific points in time – representing pieces of evidence that provide clues to the narrative of what has occurred. They might even give us a glimpse into the players and techniques involved in the attack – but at the end of the day, they do not give us the whole story – they only give us clues.
Indicators of Attack (IOAs)
To get the whole story we turn to IOAs, which are defined as “a unique construction of unknown attributes, IOCs, and contextual information (including organizational intelligence and risk) into a dynamic, situational picture that guides response”. If IOCs are “still pictures,” then IOAs are movies. They take all the pictures and evidence we collect, contextualize it, and apply it to a timeline, providing a full cinematic experience of the attack.
Making Better Predictions
This movie should be a valuable tool for identifying and disrupting future attacks before they can cause damage. There is only one problem: attackers rarely play the same movie twice. We should not assume that attempted intrusions will look exactly the same every time, because they probably won’t. There may be some similarities, just like in a sequel to a movie – we may see some of the same actors and settings, but the movie will also include new scenes, new characters and new dialogues. In a similar way, intrusion attempts are usually a newer version of a previous attempt. The attackers might use some of the same tools from the last round, or re-use techniques they developed, or attack at the same time of day, but they will probably change some of their C2 servers. Attackers, just like the rest of us, are limited in time and resources and understand the value of re-use. Creating a new attack from scratch to target the same victim is pricey and time-consuming, so they often borrow pieces of previous attacks. Therefore, looking for patterns of attack from previous incidents might seem like a reasonable approach, but searching for the same patterns of attack makes no sense because they almost certainly will not be the same.
So how can we make better use of IOAs? By rearranging them into multiple variations, we are no longer looking for one movie. Instead, we are writing different scripts with different plots, without committing to one story line. By creating varied attack patterns containing valid evidence of the adversary’s characteristics but do not force them into a specific pattern that most likely won’t happen again, we open the door to a new, much more efficient way of hitting back at our attackers.
This method gives us the opportunity to predict how attacks will occur long before they happen. We can proactively identify a persistent adversary or other adversaries that share attacking characteristics. This method can even be used to identify and disrupt live attacks. Creating modular IOAs by collecting indicators during the early stages of an attack enables a proactive search of compromised assets even before they realize they are under attack. This kind of real-time hunting allows new IOCs to emerge with existing IOAs, creating new dynamic patterns that can be used not only during the attack itself, but also afterwards for proactive detection in different networks.
Think about all the movie sequels you’ve seen over the years. Chances are you could have taken the previous movie and come up with multiple variations for how the sequel might play out. The odds are very good that you’d come up with at least one variation that mapped pretty closely to the actual sequel. (We all could predict Luke Skywalker would come out of exile to save the galaxy in “The Last Jedi,” for example.) Attackers give us the same tools for predicting the sequel as movies do – we just have to start using them.