IOCs vs. IOBs

Most threat intelligence is shared as Indicators of Compromise (IOCs), or artifacts on a system or network that signal malicious activity. IOCs are the fingerprints left behind at the crime scene of a cyberattack. They are a static input, and are often identified as file hashes, IP addresses, domain names, or other information in the environment.

An IOC as a concrete piece of threat intelligence looks like this:

  • Adversary IP Address:

Antivirus software looks at file attributes such as the file hash, function calls or embedded code sections.  If it finds a match, it prevents the associated process from running. IOCs help identify and prevent adversary attacks based on the unique signature of the malware, C2 server, or other tools attackers may be using.  For example, you may wish to flag unique hashes associated with a specific adversary group to give greater context to your alerts.

IOCs are valuable when preventing known malware, but over 350,000 new strains of malware are detected every day, and fileless malware attacks are on the rise. IOCs are no longer an innovative or sufficient standalone method for defense. 

Enter Indicators of Behavior

Indicators of Behavior (IOBs), on the other hand, describe the approach an attack takes. IOBs are the witness at a crime scene of a cyberattack. They couldn’t necessarily see the adversaries face, but they saw what the adversary did. IOBs are the set of behaviors, independent of tools or artifacts, that describe an attack, and can be very useful when building an AEP and attack simulation.

A high level IOB looks something like this: 

  • Initial access by phishing attachment with malicious Microsoft Word document attached.
  • Subsequent payloads downloaded by a malicious macro within the Word document executing commands to leverage PowerShell and create persistence via a scheduled task.

An IOB as a concrete piece of threat intelligence looks like this:

  • T1193 Spear Phishing Attachment (Microsoft Word) -> T1093 Shell Process (PowerShell) -> T1407 External Connection -> T1053 Child Process (Create Scheduled Task)

IOBs report on malicious behavior, which is a more contextualized approach to describing an attack. Admittedly, IOBs can vary: some will be specific down to a procedural description, while others will be more generic at the technique level. 

With the example above, the IOB is generic enough so you can use these techniques with a range of procedures to test your defenses more broadly. For a blue team, this IOB can easily be turned into a search that they execute.

A plain-language search looks something like this: 

Identify all executions of Microsoft Word where Word spawns a child process of PowerShell that connects to the internet and executes another shell (CMD or PowerShell) or a binary that is unsigned and downloaded from the internet.

Your blue team can use this direction and freedom to creatively hunt for this IOB in their environment. 

Additionally, by using techniques like retro-matching, you can go back in time and use current threat intel to evaluate your past environment for adversaries you may have missed. 

To learn more about how to use MITRE ATT&CK to enhance SecOps, download the white paper

Cybereason Team
About the Author

Cybereason Team

Cybereason is dedicated to partnering with Defenders to end attacks at the endpoint, in the cloud and across the entire enterprise ecosystem. Only the AI-driven Cybereason XDR Platform provides predictive prevention, detection and response that is undefeated against modern ransomware and advanced attack techniques. The Cybereason MalOp™ instantly delivers context-rich attack intelligence across every affected device, user and system with unparalleled speed and accuracy. Cybereason turns threat data into actionable decisions at the speed of business.

All Posts by Cybereason Team