Threat detection: IOCs are just the foundation IOBs are king

2022.05.03

however, behavior-based detection methods appear to be the future. Let's compare the differences between the two detection methods to determine whether it is more valuable to emphasize one or the other.

Professionals should all know the "Pyramid of Pain", which shows the relationship between various attack indicators and attack (detection) difficulty. The lower half of the pyramid consists of hashes, IP addresses, and domain names (all three are collectively referred to as IOCs), and if they are detected, the attack difficulty does not increase significantly, or the level of pain is low.

In a real-world scenario, an attacker may deliberately bombard the detection system with an IOC in turn to cover up the real attack. But TTP (Tactics, Techniques, and Procedures) is the most advanced means of attack. If the security operations center (SOC) can identify both IOC and IOB (behavioral indicators), the probability of successful intrusion can undoubtedly be minimized. Threat Hunting (Hunting) There are many ways to successfully perform threat hunting, and the two most common branches are active and passive hunting. Intelligence-based searches are biased toward a passive mode, where data from intelligence-sharing platforms forms the basis for further investigation. Detection rules are derived from the lower half of the pyramid of pain, domain name, hash, IP address, network or host characteristics, and then matched against threat intelligence (that is, others have seen similar attacks). Instead, a proactive approach is behavior-based. Input data includes indicators of attack (IoA), indicators of behavior (IOB), and TTPs. Based on UEBA's assumptions, it is possible to detect whether an attack is taking place, and this detection is as close to real-time detection as possible. Behavior-based threat hunting (hunting) would no doubt be welcome. Editor's Note: IoA refers to an indicator of ongoing behavior, and IOC refers to an indicator of an intrusion that has occurred. Detection based on indicators of intrusion (IOC) IOCs contain more than just hashes, IP addresses and domain names, there is a lot of data that can be used as forensics to help security analysts monitor systems for signs of potentially malicious activity, such as: HTML response packet size Abnormal DNS request Unplanned system patches Sudden system file changes Increased database reads Signs of DDoS (excessive requests) Mismatched port application traffic Abnormal traffic accessing the external network Datasets that shouldn't exist Intrusion indicators act as red flags, helping to detect early signs of an attack. However, it is not enough to have a static list of common IOCs and periodically run detection rules based on that. The growing sophistication of cyberattacks makes it imperative to track emerging indicators and ensure appropriate detection rules are in place. A new IOC may be as simple as an element in metadata, or as complex as a piece of injected code in petabytes of log data that is constantly flowing, imagine how difficult it is to identify . Cybersecurity professionals need to look for correlations between various IOCs, analyze and track events before and after an attack to form an effective detection strategy. Behavior Based Inspection (IOB) While IOCs are great for retrospective analysis, these metrics have a short lifespan, and SOC analysts want to rely on more than just evidence of previous attacks, which fail soon after they are detected. And, even with backtracking, advanced threats remain. That's why behavior-based detection is needed to find less obvious signs of intrusion, or UEBA (User and Entity Behavior Analysis)-based threat hunting can significantly enhance the ability to spot potential risks. Behavior generally includes: File types: download, upload, create, delete, save, change Account classes: create new accounts, change passwords, log in and log out Mail classes: send or forward emails, automate emails, send attachments Website categories: visit pages, send requests, send attachments, send messages, use tools System administration: run queries, access stored data, execute code, export results All behavior-based detections should not only be written and collected, but also analyzed in a specific context to determine the intent of the behavior. And to track generic behavior long-term to see if any suspicious changes have occurred. In addition to monitoring systems in real time, IOBs can also help predict the future and predict the outcome of changes to security measures, such as what would happen if a company disables external storage devices such as USB. However, security analysts need to be very careful when writing behavior-based detection rules to avoid high false positive rates, as behavioral rules tend to be more susceptible to noise. This requires experienced analysts and often a different analysis method. The reason is very simple, only then will it be possible to better detect unknown threats that do not show up in intelligence sources, let alone IOCs. in conclusion In general, threat hunting is a complex process that requires the use of specific tools, systems and methods for efficient operation and timely response. A successful threat hunter should stay one step ahead of attackers through full visibility into the network, the exploitation of intelligence, and the creation of new rules. Specific to the choice of IOC or IOB, of course, not to choose one, but to use both. IOCs cover basic security needs, while IOBs are used for higher security needs.