In the infosecurity space, we often fall short when it comes to defining the distinction between and value of indicators of compromise (IOCs) and indicators of attack (IOAs). There are many subtle differences between these two types of data and intelligence. Having an in depth understanding of these indicators will allow your organization to improve their security posture.
So, let’s start with the basics, including a description of an indicator of compromise (IOC). Indicators of compromise are used to identify malicious behavior and can be made up of several data elements. A few examples of indicators of compromise include:
- Domain and DNS requests
- IP addresses
- File attributes
Investigators usually gather IOC data after being informed of a suspicious incident, on a set schedule, or after the discovery of unusual activity from the network or host. Additionally, IOCs can come from API feeds, published APT reports, intelligence services, blogs, white papers, or a variety of other deliverable formats. Finally, behavioral file and network indicators of compromise exist; such as URI string, macro usage, build path, and host registry. The underlying pattern being that IOCs are reactive. IOCs are often used to retroactively perform forensics, stop lateral movement, and possibly prevent data exfiltration.
Although IOCs do provide organizations significant value, they have their limitations. IOCs must be a known artifact so they aren’t always timely, and IOC-based detection cannot detect the increased threat from malware-free intrusions and/or Zero-days. This is where indicators of attack (IOAs) become incredibly important.
IOAs are events that could reveal an active attack before indicators of compromise become visible. These indicators focus on detecting the intent of a particular attacker or threat group. A few examples of IOAs include:
- System attributes
- Network attributes
- Malware attributes
- Email attributes
These indicators exist in a multitude of places including firewall rule logs, SIEM logs, proxy rule logs, IDS/IPS rule logs, network infrastructure logs, etc.
In summary, the important differentiator between IOCs and IOAs is that IOCs are reactive, and IOAs and proactive. It is important to use a combination of these indicators to have a historical perspective as well as real-time data. It is also important to note that IOCs are known bad, while IOAs only become bad based on what they mean to you and your environment. There is much more to be discussed when it comes to indicators, especially when it comes to leveraging this data in investigations. To see real world applications of IOCs and IOAs, join Kyle Wilhoit on October 25 at 10AM PT for our webinar: The IOC and IOA Playbook: Making Sense of Your Indicators.