Why Indicators of Attack Better Defend Against Cyberthreats

This blog is the first of two articles on how to proactively prepare for cyberthreats. In partnership with CrowdStrike, a cybersecurity software company, we’ll talk about how government organizations can improve their security postures to better defend their valuable assets today and tomorrow.

Unless you have the resources to actively hunt for the adversary and identify breaches within seconds of them occurring, you will ultimately lose.

Many organizations make the mistake of looking for the known signs of malware. But malware constantly changes, making it difficult to recognize, and it might not even be used as part of an attack at all. If that’s your focus, you are leaving yourself vulnerable.

The unprecedented success of attacks against large and well-equipped organizations around the world has led many security executives to question the efficacy of traditional layered defenses as their primary protection against targeted attacks. Instead, they are reviewing and revising their security best practices to focus on indicators-of-attack (IOA)-based detection and prevention strategies.

What Is an IOA-Based Approach?

Most legacy vendors focus solely on detecting indicators of compromise (IOCs), which signify that the security of the network has already been breached. IOCs are things such as bad IP addresses, URLs, file hashes and known malicious domain names. In contrast, IOAs focus on detecting the intent of what attackers are trying to accomplish, before they reach their objective and regardless of the malware or exploit used in an attack.

It is a proactive stance, in which defenders are looking for early warning signs that an attack may be underway. It is the difference between trying to recreate a crime scene based on evidence left behind and being vigilant for the more subtle indicators that an attack is imminent or already in progress.

This difference can be illustrated by the most common and still the most successful tactic used by determined adversaries — spear-phishing.

A successful spear-phishing email must persuade the target to click on a link or open a document that will infect a machine. Once compromised, the attacker will silently execute another process, hide in memory or on disk and maintain persistence across reboots of the system. The next step is to make contact with command and control (C2) outside the victim’s network to request further instructions.

IOAs are concerned with the execution of these steps, the intent of the adversary and the outcomes the attacker is trying to achieve. IOAs are not focused on the specific tools the adversary uses to accomplish his or her objectives.

By monitoring these execution points, gathering the indicators and consuming them via a stateful execution inspection engine, the defender can determine how an actor successfully gained access to the network and infer his or her intent. No advance knowledge of the tools or malware (IOCs) is required.

Takeaway: An IOA-based approach looks for early warning signs of a cyberthreat by focusing on a malicious actor’s intent and objective, regardless of the malware or tools that are used.

Leave a Comment

Leave a comment

Leave a Reply