newspaper-fold Blog

BEYOND THE IOC-Moving from the “what” to the “how” to better stay ahead of emerging attacks

April 15, 2021


Three travelers wandered across a sleeping elephant in the dark. They were walking by low moonlight, and all they could see were three big lumps in front of them. The first touched an elephant’s trunk and said, “oh, my, this must be a huge snake!” The second touched an elephant’s ear and said, “oh, my, this must be a giant bat with enormous wings!” The two jumped back from the scary animals in shock, landing in a warm smelly pile of elephant poo.

The third wanderer considered what the first two said while backing away from her pungent travel mates. She listened carefully and heard multiple low rhythmic rumbles. She knew that they were in a nature preserve with numerous elephant herds and that elephants tend to sleep in groups. With this information, she announced – with high probability– that they were next to snoozing elephants.

Like the travelers, Cyber threat intelligence (CTI) analysts are continually processing indicators that provide clues on potential and active threats. Unfortunately, these clues often lead to false assumptions and even lead to landing in digital piles of warm poo. What the third traveler did to identify the elephant correctly was move beyond making decisions on basic clues to a higher level of analysis: trunk shape + ear texture + herd tactics = elephants!

In EclecticIQ’s new report, “Beyond the IOC,” we explain why CTI analysts must make a similar pivot and go from the “what” of the attack (e.g., IP address, Domain, URL) to the “how” of the attack (e.g., Ransomware, RDP brute force attack, Cozy Bear actor, and espionage).

How to Better Detect Elephants

To move from “what” to “how” requires shifting from indicators of compromise (IOC) to tactics, techniques, and procedures (TTPs). As discussed in the report, this shift is proving to be effective, knowing that threat actors tend to execute attacks in repetitive ways, using attack patterns that are historically effective against a particular victim or set of victims.

Identifying these threat actors more quickly and more accurately begins by differentiating between IOCs and TTPs and their value to CTI. From this report, you will learn:

IOCs are Clues - Indicator of Compromise (IOCs) are pieces of forensic data that identify potentially malicious activity on a system or network. IOC monitoring can reveal unusual activities as red flags for a data breach or system compromise. However, detecting IOCs cannot provide a complete attack model or answer how a threat actor is conducting an attack.

The report includes triage approaches to managing IOCs better.

TTPS Give Focus - TTPs allow threat analysts to focus on adversary actions and how they are connected. What is excellent about TTPs is they describe the behavior, methods, and patterns within an attack rather than the footprints that attackers (or elephants) leave behind. They involve methods like registry modification or social engineering to prevent further impact from threat actors.

The report explains how to establish this focus and how it helps to direct threat hunting practices.

TTPs Give Context - TTPs provide a more comprehensive intelligence picture with greater context that synthesizes IOCs, observables, and MITRE ATT&CK taxonomy to help different teams understand attacks at both strategic and operational levels.

The report discusses how better context helps to prevent further attacks.

Sharing is Caring - TTPs provide an effective medium for sharing threat intelligence, so security and intelligence teams can better communicate and create common objectives. In contrast, IOCs are too granular and short-lived to enable effective knowledge sharing by IOCs alone.

The report illuminates how improved information sharing brings together CTI, information security, and incident response with details relevant to each role.

Intelligence Reports are Smart – A well-written and structured intelligence report saves time and resources, reduces ambiguity, and reduces human error. Intelligence reports build off TTPs and IOCs.

The report describes how to establish a standard protocol for intelligence reports that includes indicator watchlists, clustering of TTPs, and intelligence structuring.

Please register here to see the complete report of Beyond the IOC with Cyber Threat Intelligence.


3 more posts you might like