Evolution of Cyber Defense (IOC vs IOA vs AID)
Identification of the problem
The information that passes through cyberspace is a high-value gem for threat actors, which is why they look for vulnerabilities in services exposed to the Internet to carry out cybercrimes (initial compromise, elevation of privileges, persistence, lateral movement, exfiltration and kidnapping or destruction of the target) this for different motivations. Likewise, the most active attack is directed at users where the victim is intended to click on a link sent by any messaging service to be redirected to a website infected with infostealer, simply visiting the compromised website for the system also belongs to the remote one. attacker, does not require further user interaction. Advanced 0-day malware is also distributed in PDF, xlsx, docx files such as knowledge collaboration documents or hacked documents in Telegram groups or via email; Malware is also distributed in pirated commercial programs after cracking them to give them away on free software distribution websites, waiting to be executed (opened). There is also malware that is hosted on a USB whose purpose is for a worker at the target company to access it. find for the user to plug this device into any available computer. The main characteristic of these 0-day malware is that they are not detected by cybersecurity solutions
Therefore, there is a need to anticipate to support cybersecurity against the actions of cybercriminals. The CTI will allow the development of skills to mitigate and respond immediately to possible incidents.
CTI
Cyber threat intelligence is the processing of collected data into Intelligence, evaluated in the context of its source and reliability, and analyzed through rigorous and structured techniques by experienced specialists, all of this helps to identify threats, opportunities, similarities and differences in large amounts of information to produce accurate, timely and relevant intelligence.
CTI benefits by role or function
- Security/IT Analyst: CTI optimizes prevention and detection capabilities to strengthen defenses.
- SOC: CTI prioritizes incidents based on risk and impact on the organization.
- CSIRT: In accelerating investigations, management and prioritization of incidents.
- Intelligence Analyst: In the discovery and tracking of threat actors targeting the organization.
- Executive Management: In understanding the risks facing the organization and how to address their impact.
IOC
Indicators of compromise are evidence of security incidents or breaches, obtained in most cases as a result of digital forensic analysis. That being said, the IOC is the result of an unauthorized intrusion where the attacker maintained persistence between 2 months up to 5 years within the organization, the IOC is added to the cybersecurity solution in the hope that it will block an attack that lost its effect Surprise (it's no longer a 0-day), in any case it is useful for blocking common cyber attacks.
An IOC can be a hash of malware, an exploit, a vulnerability and IP addresses, this information is used to create new rules in cybersecurity tools so that they can detect suspicious files in the future. The Indicator of Compromise (IOC) has a reactive approach.
IOCs are useful against botnet attacks.
An IOC has a null action on 0-day attacks.
IOA
Indicators of Attack (IOA) seek to detect early signs of what the cyber attacker is doing during the initial compromise attempt or in most cases when they manage to evade security solutions with 0-day exploits, in this case, IOAs seek to identify post-exploitation actions such as persistence, lateral movement in the network, among other capabilities of the cyber attacker.
An IOA takes a proactive, zero-trust approach based on the assumption that the network is compromised. Once the cyber attacker manages to compromise the technological asset, the control of the incident will largely depend on the technical capabilities of the threat hunting operator.
The SOC (Security Operations Center) or CyberSOC Cutting-edge companies currently offer their services with scope on IOA based on the use of ML or AI solutions for this purpose, however an operator with experience in manual IOA hunting will be required, leaving IoCs in the background. The Threat Hunting operator relies on Cybersecurity tools with ML (Machine Learning) that manage IOAs to try to contain the threat, given that current knowledge about advanced threats is still limited. To determine an effective control action, we must take into account that there are advanced capabilities that are not mapped by known threat modeling frameworks, This allows advanced attackers to evade XDR and other solutions with Machine Learning or AI (Artificial Intelligence), so hunting IOA is based on knowledge of non-noise post-exploitation activities where most of these IOA are based on spoofing.
R4Y0H4CK recommends applying threat hunting based on IOA identification to detect intrusions to an asset vulnerable to new CVEs, or to monitor post-exploitation activities after an advanced attacker has achieved initial compromise with 0-day exploits, this will allow avoiding persistence and lateral movement in the network until the manufacturer of the vulnerable asset releases the official patch to contain cyberspace threats, it must be taken into account that the latent threat phase is large and is related to the window period of the vulnerability, existing from knowledge of the exploitation in the nature of the vulnerability until the application of the official patch.
The framework is designed so that the purple team, the SOC, the technological security monitoring team, the cyber defense team and the threat hunters understand and strengthen their skills and capabilities for monitoring, detecting and controlling IOAs during the window period. of a recent CVE that is abused by advanced cyber attackers.
AID
Attack Indicators Deployed (AID) is a new concept coined by researcher Rafael Huamán Medina as a result of the need to detect malware or new and unknown payloads deployed in cyberspace with the purpose of anticipating and neutralizing the terror of any organization, the 0 -days used in targeted campaigns.
The deployed attack indicators (AID) are evidence of a malicious campaign in the implementation phase or already deployed, as well as the C2 deployed waiting for an Internet user to visit the infected website for the distribution of payloads, or waiting for the running a shared file on messaging services.
The objective of hunting AID is to add the payload hash or the C2 IP to the cybersecurity solution to anticipate attacks from advanced cyber threats, managing to neutralize it effectively. Cyber intelligence and threat hunting specialists investigate, identify and analyze payloads or 0-day malware deployed in Cyberspace, which allows assigning an identifier (hash or IP) to the AID, which due to its 0-day malware characteristics will evade detection. security of all cybersecurity solutions to compromise the target asset, these 0-day malware are associated with infostealers, rats, PDF files, xlsx, docx shared in the cloud, on websites, on Telegram channels, on social networks or by email (phishing), or that are hosted on USBs used in cyberespionage operations and RaaS (ransomware as a service) campaigns.
An AID will be the ideal support for the information security of any organization, neutralizing attacks of this type.
AIDs are obtained from the combination of cyber intelligence and threat hunting operations in cyberspace, to date (2023) there are few specialists with knowledge in hunting AIDs worldwide (Peru and Czech Republic), cybersecurity solutions with ML and AI have no scope for AID hunting since they do not receive training in the application of the technique and the investigation procedure.
AIDs represent a mature Cyberdefense posture against targeted 0-day campaigns, neutralizing their action, this is the ideal solution for cyber defense. Therefore, AIDs are at the top layer or level 3, followed by IOAs (Indicators of Attack) at level 2 and at the base or level 1 are IoCs (Indicators of Compromise).
Let's analyze the difference between IOC and IOA and AID:
In the image we can see that an IOC seeks to alert about a past attack that affected another organization, in a "targeted campaign" the IOC is likely to be inefficient because the attacker will change the object (payload, IP, etc.), in this example we see that a 0day is used, so the IOC is not useful in this type of scenario. As a consequence, the system is compromised and controlled by cybercrime.
While an IOA seeks to provide early warning during an active or ongoing attack, here the 0day will bypass the security of cybersecurity solutions, the IOA will be useful in supporting the incident response team by searching for the intruder, a race is unleashed to contain and reduce the impact of post-exploitation. As a consequence, the system is compromised but the threat hunt carried out by cyber defense operators begins.
The AID will effectively prevent the incident by neutralizing the digital campaign, being the most effective way of all the previous ones because it will neutralize the cyber attacks directed with 0day.
Always remember: "Knowledge prepares you to fight cybercrime" (R4Y0H4CK).
"If you know the enemy and you know yourself, you need not fear the outcome of hundreds of battles. If you know yourself but not the enemy, for every victory you win you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle" (Sun Tzu).
Share the knowledge with your contacts and please acknowledge the credits for this work, we would greatly appreciate feedback on your favorite social network.