Most threat intelligence is shared as Indicators of Compromise (IOCs), or artifacts on a system or network that signal malicious activity. IOCs are the fingerprints left behind at the crime scene of a cyberattack. They are a static input, and are often identified as file hashes, IP addresses, domain names, or other information in the environment.
An IOC as a concrete piece of threat intelligence looks like this:
Adversary IP Address: 220.127.116.11
Antivirus software looks at file attributes such as the file hash, function calls or embedded code sections. If it finds a match, it prevents the associated process from running. IOCs help identify and prevent adversary attacks based on the unique signature of the malware, C2 server, or other tools attackers may be using. For example, you may wish to flag unique hashes associated with a specific adversary group to give greater context to your alerts.
Indicators of Behavior (IOBs), on the other hand, describe the approach an attack takes. IOBs are the witness at a crime scene of a cyberattack. They couldn’t necessarily see the adversaries face, but they saw what the adversary did. IOBs are the set of behaviors, independent of tools or artifacts, that describe an attack, and can be very useful when building an AEP and attack simulation.
A high level IOB looks something like this:
Initial access by phishing attachment with malicious Microsoft Word document attached.
Subsequent payloads downloaded by a malicious macro within the Word document executing commands to leverage PowerShell and create persistence via a scheduled task.
An IOB as a concrete piece of threat intelligence looks like this:
IOBs report on malicious behavior, which is a more contextualized approach to describing an attack. Admittedly, IOBs can vary: some will be specific down to a procedural description, while others will be more generic at the technique level.
With the example above, the IOB is generic enough so you can use these techniques with a range of procedures to test your defenses more broadly. For a blue team, this IOB can easily be turned into a search that they execute.
A plain-language search looks something like this:
Identify all executions of Microsoft Word where Word spawns a child process of PowerShell that connects to the internet and executes another shell (CMD or PowerShell) or a binary that is unsigned and downloaded from the internet.
Your blue team can use this direction and freedom to creatively hunt for this IOB in their environment.
I've spent several years in cybersecurity and have been recognized globally for my security research. Over the past ten years, I've held various engineering, development, and consulting roles in the technology sector and received a B.S. degree in Computer Engineering. Now, I am a Security Strategist at Cybereason.