IOCs and IOAs
Indicators of Compromise
Indicators of Compromise (IOCs) are defined as "pieces of forensic data, such as data found in system log entries or files, that identify potentially malicious activity on a system or network"
Layers 1–5 from the bottom of the Pyramid of Pain fall in this category
Reactive measure
Answer "What happened?"
Use these to detect/prevent suspicious activities in the future
IOCs describe and help to detect a specific artifact from an attack, like a hash for a specific malware variant of an IP address associated with an attack
Indicators of Attack (IOAs)
Indicators of Attack (IOAs) represent a series of actions that an adversary must conduct to succeed
These are represented by the top layer of the Pyramid (TTPs) and are not focused on any specific IOCs
Proactive measure
Answer "What is happening?" and "Why?"
Used to stop an attack in progress
IOAs describe and help detect the methodologies of an attack, like stealing credentials in order to log into a web portal or privilege escalation in order to obtain sensitive information
IOAs are more powerful than IOCs, but also more challenging to generate. The different phases of a specific cyberattack must be identified. The Tactics, Techniques and Procedures (TTPs) of the specific attack need to be understood
Indicators for threat hunting
The entire point of detecting indicators is to respond to them. Once you can respond to them quickly enough, you can deny the adversary the use of those indicators when attacking you
Indicators play a very important role in threat hunting as hunters use them to identify potential risk to the environment
Both IOCs and IOAs can be used by hunters to detect threats in the environment. But the complexity and effectiveness of the hunt goes up as you move up the Pyramid
Last updated