Security Operations teams are the cornerstone of the fight against last-mile cybercrime in any organization. This is why they need the most advanced technologies possible.But the fight against cybercriminals isn’t simply a question of technology. Having a proactive attitude against possible cyberattacks is also key. This is where we see two essential concepts for all Security Operations teams: IoCs (indicators of compromise) and IoAs (indicators of attack).
What is the difference? Are they exclusive or complementary? When are they used? Which is more decisive? Below, we analyze the two concepts.
IoCs (Indicators of Compromise)
IoCs are the indicators that identify the presence of a threat actor on a computer once the compromise may have already taken place. That is, they are used to diagnose a security problem that has just happened within the organization. It is the evidence that a security compromise has happened, or it was about to happen.
In this regard, IoCs are used to identify files or artifacts that have previously been classified as malicious: a phishing email, a malware file, an IP address related to cybercrime, a risky entry in the registry, and so on. IoCs are, therefore, useful for companies to analyze the damage after or during a compromise and to react by mitigating its effects and eliminating the threat.
IoCs can also be useful for companies that need to accurately diagnose what has happened in order to know exactly where the problem lies and the exploited vulnerability is after they have suffered an incident to fix them and prevent similar attacks in the future.
IoAs (Indicators of Attack)
Searching for IoAs has a different philosophy; IoAs represent the maximum effort of proactivity. The goal is to anticipate the compromise by investigating suspicious activities, while searching for IoCs has a philosophy of reaction, looking for evidence that the compromise exists. In other words, IoAs don’t intervene when the attack has already happened, but rather when it is taking place, or even before it can become a real incident.
IoAs cover the gaps left by IoCs: they alert on any attempted attack, regardless of what method was used to evade the company’s security system. That is, IoAs detect attack steps that don’t require malware, such as LotL (living-off-the-land) techniques.
These indicators are the result of the work carried out by threat hunting teams leveraging the most advanced cybersecurity solutions supported by AI/ML (artificial intelligence/machine learning). These teams investigate and analyze the activities of system processes in depth, looking for anomalous behaviors, or behaviors that may represent a risk to the organization’s security. If they are detected, IoAs allow organizations to act before the vulnerability can be exploited and before the damage has become definitive.
The Importance of Being Proactive
A recurrent question about indictors is, which is more effective for protecting an organization, IoCs or IoAs? Both techniques are necessary and complement each other. However, one thing is clear: the proactive approach of IoAs will always go one step further when it comes to avoiding security incidents. The search for IoCs is an excellent tool to analyze the damage after or during a compromise and to react, by mitigating its effects and eliminating the threat.
IoCs are used in investigations once the damage has begun, whereas IoAs are part of a prior investigation and draw from a position of cyber resilience. The problem is that most cybersecurity solutions limit themselves to IoCs when analyzing, detecting, and mitigating cyberattacks. As a consequence, their actions against cybercrime will only be effective after the fact once the damage is done. Furthermore, some cyberattacks, such as those that use fileless malware, cannot be detected simply with IoCs. As such, the profiling and definition process that IoAs implies becomes vital for protecting corporate cybersecurity.
The service offered by MDR providers (managed detection and response) are highly proactive based on effective technology, cybersecurity experts, and well-defined and trained processes when it comes to protecting companies from advanced threats. With the help of advanced security solutions that analyze and profile all behaviors in real time, MDR cybersecurity analysts investigate IoAs, searching for possible anomaly behaviors that uncover clues of cyber threat activities. They also use IoC searches to help during the investigation and response phase, by identifying the artifacts being used, the vulnerabilities being leveraged, and the impacted assets.
The conclusion is clear: IoCs are useful and very necessary to both uncover a compromise, (the threat that is behind the incident and its impact) and to react, by eliminating the danger, stopping the incident, and mitigating its effects. However, any organization interested in proactively protecting itself must focus on developing investigation strategies based on IoA detection in order to detect abnormal activity, quickly investigate those activities, and respond to the threat as soon as possible, even before it becomes a real incident.
Explore our WatchGuard Endpoint Security products to discover how our solutions enable security teams to proactively prevent, detect, and respond to sophisticated threats through automation and IoA and IoC search engines.