Online Courses
Cyber Threat Hunting
Online Courses
Cyber Threat Hunting
  • Cyber Threat Hunting
  • Introduction
    • What is cyber threat hunting?
    • Implementation considerations
    • Threat hunting models
    • Benefits of threat hunting
  • Threat Hunting Artifacts and Types
    • Artifacts and types
    • IOCs and IOAs
    • Indicators of compromise
    • Tactics, techniques and procedures (TTPs)
  • Threat hunting techniques and generative AI
    • Aggregation of data sources
    • Anomalies and baselining
      • Baselining
      • Searching
      • Grouping and clustering with AI
  • Threat hunting methodologies
    • Introduction
    • Structured hunting (MITRE)
    • Unstructured hunting
    • Entity driven hunting
  • Threat hunting data and technologies
    • Data and technologies
    • Network data
    • Endpoint data
    • Security information and event management (SIEM)
    • Threat intelligence platforms
    • Ticketing/SOAR
  • Cyber threat hunting process
    • Introduction
    • Scoping and hypothesis development
    • Formulate
    • Execution
    • Cyber threat hunting: Lessons learned
  • Cyber threat hunting scenarios
    • Structured hunt scenario
    • Unstructured hunt scenario
    • Entity-driven hunt scenario
    • Situation-driven hunt scenario
  • Hunting for network-based threats
    • Network Threats
    • DNS abnormalities
    • Hunting for DDoS activity
    • Hunting for suspicious domains
    • Hunting for irregular traffic
  • Hunting for host-based threats
    • Host-based threats
    • Malware
    • Hunting for irregular processes
    • Process hierarchy
    • Detecting lateral movement
    • Hunting for malicious files
    • Database swells
  • Quiz
Powered by GitBook
On this page
  • Indicators of Compromise
  • Indicators of Attack (IOAs)
  • Indicators for threat hunting
  1. Threat Hunting Artifacts and Types

IOCs and IOAs

Indicators of Compromise

Indicators of Compromise (IOCs) are defined as "pieces of forensic data, such as data found in system log entries or files, that identify potentially malicious activity on a system or network"

Layers 1–5 from the bottom of the Pyramid of Pain fall in this category

  • Reactive measure

  • Answer "What happened?"

  • Use these to detect/prevent suspicious activities in the future

IOCs describe and help to detect a specific artifact from an attack, like a hash for a specific malware variant of an IP address associated with an attack

Indicators of Attack (IOAs)

Indicators of Attack (IOAs) represent a series of actions that an adversary must conduct to succeed

These are represented by the top layer of the Pyramid (TTPs) and are not focused on any specific IOCs

  • Proactive measure

  • Answer "What is happening?" and "Why?"

  • Used to stop an attack in progress

IOAs describe and help detect the methodologies of an attack, like stealing credentials in order to log into a web portal or privilege escalation in order to obtain sensitive information

IOAs are more powerful than IOCs, but also more challenging to generate. The different phases of a specific cyberattack must be identified. The Tactics, Techniques and Procedures (TTPs) of the specific attack need to be understood

Indicators for threat hunting

  1. The entire point of detecting indicators is to respond to them. Once you can respond to them quickly enough, you can deny the adversary the use of those indicators when attacking you

  2. Indicators play a very important role in threat hunting as hunters use them to identify potential risk to the environment

  3. Both IOCs and IOAs can be used by hunters to detect threats in the environment. But the complexity and effectiveness of the hunt goes up as you move up the Pyramid

PreviousArtifacts and typesNextIndicators of compromise

Last updated 8 months ago