[转帖]IOC Security: Indicators of Attack vs. Indicators of Compromise

IOC Security: Indicators of Attack vs. Indicators of Compromise

What is an Indicator of Compromise (IOC)?

First we should provide a definition of an indicator of compromise (IOC). An IOC is often described in the forensics world as evidence on a computer that indicates that the security of the network has been breached. Investigators usually gather this data after being informed of a suspicious incident, on a scheduled basis, or after the discovery of unusual call-outs from the network. Ideally, this information is gathered to create “smarter” tools that can detect and quarantine suspicious files in the future.

In the Cyber world, an IOC is an MD5 hash, a C2 domain or hardcoded IP address, a registry key, filename, etc. These IOCs are constantly changing making a proactive approach to securing the enterprise impossible. Because IOCs provide a reactive method of tracking the bad guys, when you find an IOC, there is a high probability that you have already been compromised.

What is an Indicator of Attack (IOA)?

Unlike Indicators of Compromise (IOCs) used by legacy endpoint detection solutions, indicators of attack (IOA) focus on detecting the intent of what an attacker is trying to accomplish, regardless of the malware or exploit used in an attack. Just like AV signatures, an IOC-based detection approach cannot detect the increasing threats from malware-free intrusions and zero-day exploits. As a result, next-generation security solutions are moving to an IOA-based approach pioneered by CrowdStrike.

Indicator of Attack – Physical World

One way to focus our discussion around Indicators of Attack (IOA’s) is to provide an example of how a criminal would plan and undertake to rob a bank in the physical world.

A smart thief would begin by “casing” the bank, performing reconnaissance and understanding any defensive vulnerabilities. Once he determines the best time and tactics to strike, he proceeds to enter the bank. The robber disables the security system, moves toward the vault, and attempts to crack the combination. If he succeeds, he pinches the loot, makes an uneventful getaway and completes the mission. IOA’s are a series of behaviors a bank robber must exhibit to succeed at achieving his objective. He has to drive around the bank (identifying the target), park, and enter the building before he can enter the vault. If he doesn’t disable the security system, it will alarm when he enters the vault and takes the money.

Of course, activities like driving around the bank, parking and entering the bank do not, on their own, indicate an attack is imminent. Moreover, opening a bank vault and withdrawing cash is not necessarily an IOA… if the individual is authorized to access the vault. Specific combinations of activity trigger IOA’s.

Indicator of Attack – Cyber World

Let’s examine an example from the cyber world. An IOA represents a series of actions that an adversary must conduct to succeed. If we break down the most common and still the most successful tactic of determined adversaries – the spear phish – we can illustrate this point.

A successful phishing email must persuade the target to click on a link or open a document that will infect the machine. Once compromised, the attacker will silently execute another process, hide in memory or on disk and maintain persistence across reboots of the system. The next step is to make contact with a command and control site, informing his handlers that he awaits further instructions.

IOAs are concerned with the execution of these steps, the intent of the adversary and the outcomes he is trying to achieve. IOA’s are not focused on the specific tools he uses to accomplish his objectives.

By monitoring these execution points, gathering the indicators and consuming them via a Stateful Execution Inspection Engine, we can determine how an actor successfully gains access to the network and we can infer intent. No advance knowledge of the tools or malware (aka: Indicators of Compromise) is required.

Comparing an IOA to an IOC

In revisiting the bank robber analogy, imagine if we were only looking for IOC’s. In evidence from a previous robbery CCTV allowed us to identify that the bank robber drives a purple van, wears a Baltimore Ravens cap and uses a drill and liquid nitrogen to break into the vault. Though we try to track and observe these unique characteristics, his modus operandi (MO), what happens when the same individual instead drives a red car and wears a cowboy hat and uses a crowbar to access the vault? The result? The robber is successful again because we, the surveillance team, relied on indicators that reflected an outdated profile (IOCs).

Remember from above, an IOA reflects a series of actions an actor / robber must perform to be successful: enter the bank, disable the alarm systems, enter the vault, etc.

IOA’s are the Real-time Recorder

A by-product of the IOA approach is the ability to collect and analyze exactly what is happening on the network in real-time. The very nature of observing the behaviors as they execute is equivalent to observing a video camera and accessing a flight data recorder within your environment.

Returning to the physical world, when a detective arrives on a crime scene and has a gun, a body, and some blood they usually ask to see if anyone has any video of what transpired. The blood, body, and gun are IOCs that need to be manually reconstructed and are point-in-time artifacts. Very simply put, IOAs provide content for the video logs.

In the Cyber realm, showing you how an adversary slipped into your environment, accessed files, dumped passwords, moved laterally and eventually exfiltrated your data is the power of an IOA.

Real-world Adversary Activity – Chinese Actor

CrowdStrike’s Intelligence Team documented the following example activity attributed to a Chinese actor. The following example does highlight how one particular adversary’s activity eluded even endpoint protections.

This adversary uses the following tradecraft:

  1. In memory malware – never writes to disk
  2. A known and acceptable IT tool – Windows PowerShell with command line code
  3. Cleans up logs after themselves leaving no trace

Let’s explore the challenges that other endpoint solutions have with this tradecraft:

Anti-Virus – since the malware is never written to disk, most AV solutions set for an on-demand scan will not be alerted. On-demand scanning is only triggered on a file write or access. In addition, most proactive organizations perform a full scan only once a week because of the performance impact on the end user. If defenders were performing this full scan, and if the AV vendor was able to scan memory with an updated signature, they may provide an alert of this activity.

AV 2.0 Solutions – these are solutions that use machine learning and other techniques to determine if a file is good or bad. PowerShell is a legitimate windows system administration tool that isn’t (and shouldn’t be) identified as malicious. Thus, these solutions will not alert clients to this behavior.

Whitelisting – Powershell.exe is a known IT tool and would be allowed to execute in most environments, evading whitelisting solutions that may be in place.

IOC Scanning Solutions – since this adversary never writes to disk and cleans up after completing their work, what would we search for? IOC’s are known artifacts and in this case, there are no longer artifacts to discover. Moreover, most forensic-driven solutions require periodic “sweeps” of the targeted systems, and if an adversary can conduct his business between sweeps, he will remain undetected.

Final Words

In conclusion, at CrowdStrike, we know that our clients have adversary problems, not malware problems. By focusing on the tactics, techniques and procedures of targeted attackers, we can determine who the adversary is, what they are trying to access, and why. By the time you detect Indicators of Compromise, your organization has probably already been breached and may require an expensive incident response effort to remediate the damage.

By recording and gathering the indicators of attack and consuming them via a Stateful Execution Inspection Engine, you enable your team to view activity in real time and react in the present. Accessing your own network flight recorder avoids many of the time-consuming tasks associated with “putting the pieces together” after the fact. Providing first responders with the tools necessary to reconstruct the crime scene provides a cost-effective and proactive approach to confronting advanced persistent threats.

Interested in learning more about the IOA approach? Read our article on how CrowdStrike leverages Event Stream Processing (ESP) to detect malicious behavior.

原文地址:https://www.cnblogs.com/jinanxiaolaohu/p/11773127.html

时间: 2024-10-15 09:58:10

[转帖]IOC Security: Indicators of Attack vs. Indicators of Compromise的相关文章

[转帖]/etc/security/limits.conf的含义

https://www.cnblogs.com/pzk7788/p/7250723.html /etc/security/limits.conf 是 Linux 资源使用配置文件,用来限制用户对系统资源的使用 语法:<domain>  <type>  <item>  <value> [[email protected] ~]# cat /etc/security/limits.conf * soft nproc 65535 # 警告设定所有用户最大打开进程数

6 Useful Databases to Dig for Data (and 100 more)

6 Useful Databases to Dig for Data (and 100 more) You already know that data is the bread and butter of reports and presentations. Data makes your presentation solid. It backs up the ideas you are selling. It gives people reasons to listen to you. Ho

VC/MFC 编程技巧大总结

1 toolbar默认位图左上角那个点的颜色是透明色,不喜欢的话可以自己改. 2 VC++中 WM_QUERYENDSESSION WM_ENDSESSION 为系统关机消息. 3 Java学习书推荐:<java编程思想> 4 在VC下执行DOS命令 a. system("md c:\\12"); b. WinExec("Cmd.exe /C md c:\\12", SW_HIDE); c. ShellExecute ShellExecute(NULL,

【云计算】使用Libcloud屏蔽OpenStack、AWS、AliYun等虚拟化层差异

libcloud 是一个访问云计算服务的统一接口,该项目已经成为 Apache 组织的顶级项目,采用 Python 开发. Apache基金会于5月25日宣布,Libcloud已完成孵化.成为顶级项目. One Interface To Rule Them All Python library for interacting with many of the popular cloud service providers using a unified API. 基本示例: from libcl

stix/taxii威胁情报分析2(工作模式)

原文参考链接:How to use STIX for Automated Sharing and Graphing of Cyber Threat Data 本文不打算进行翻译操作,只讲重点和我个人的看法.原文是我最近读过的文章中思路最清晰,或者说我最能看懂的一篇---- STIX Overview STIX itself is a set of XML schemas which together comprise a language for describing cyber threat

IScroll介绍--案例

一.下面简单介绍一下iScroll: iScroll是一个高性能,资源占用少,无依赖,多平台的javascript滚动插件. 它可以在桌面,移动设备和智能电视平台上工作.它一直在大力优化性能和文件大小以便在新旧设备上提供最顺畅的体验. iScroll不仅仅是 滚动.它可以处理任何需要与用户进行移动交互的元素.在你的项目中包含仅仅4kb大小的iScroll,你的项目便拥有了滚动,缩放,平移,无限滚动,视差滚动,旋转功能.给它一个扫帚它甚至能帮你打扫办公室. 即使平台本身提供的滚动已经很不错,iSc

list-iscroll5.2

简介 iScroll是一个高性能,资源占用少,无依赖,多平台的JavaScript滚动插件. 它可以在桌面,移动设备和智能电视平台上工作.它一直在大力优化性能和文件大小以便在新旧设备上提供最顺畅的体验. iScroll不仅仅是 滚动.它可以处理任何需要与用户进行移动交互的元素.在你的项目中包含仅仅4kb大小的iScroll,你的项目便拥有了滚动,缩放,平移,无限滚动,视差滚动,旋转功能.给它一个扫帚它甚至能帮你打扫办公室. 即使平台本身提供的滚动已经很不错,iScroll可以在此基础上提供更多不

bootstrap插件之Carousel

兼容:ie9以上 特点:滑动图片看起来永远只有两帧,过度完美:是html css js的完美配合:其中html的data属性起了关键性作用 前提:normalize.css  jquery.js html 代码: <div class="wrapper"> <div class="carousel" id="carousel-generic"> <!-- Indicators --> <ul class=

程序员的量化交易(34)--QuantConnect_Lean如何定义Indicator指标2

转载需注明出处:http://blog.csdn.net/minimicall,http://cloudtrade.top/ 指标(Indicator)由三大关键组件组成: 1. 实现你指标的类 2. 在ACAlgorithm基类中的Helper方法,用于简化对你指标实现的调用. 3. 测试方法用于测试指标的表现. 为了实现一个指标,上述所有组件需要实现.下面的教程会带你浏览这些组件.我们将会使用  AroonOscillator作为案例.我们不会去介绍指标的基本概念. 1. 实现你的指标(Im