Leveraging Indicators of Behavior for Early Detection

If Indicators of Compromise (IOCs) are the clues left behind at the scene of the crime, Indicators of Behavior (IOBs) are the witnesses, and they tell a story. For investigating a cyber attack, both are useful. 

Using what Forbes called “the new telemetry to find advanced cyber attackers,” we are developing the ability to detect never-before-seen attack techniques for earlier detections through the most subtle indicators of an attack in real-time, not just through the evidence and artifacts they leave behind after the attack has been successful.

Instead of simply focusing on the components of an attack that IOCs describe, the utility of IOBs are independent of the attack sequence. 

Analysis of one attack in one environment and then applying the indicators to other environments to spot similar attacks is useful, but still requires a “sacrificial lamb” (or several) before the IOCs can be documented, disseminated, and then applied in threat hunting. 

Alternatively, IOBs can be leveraged to determine which “normal” behaviors are in fact malicious because the chains of associated behaviors themselves expose the attacker’s intent even when the actions and activities fail to trigger an alert from traditional security solutions.

When otherwise “legitimate” behaviors are chained in certain sequences, they either produce an exceedingly rare condition or represent a distinct advantage for an attacker (or both)—this is where context-rich correlations across endpoints, the cloud, application suites, and user identities are critical for detecting malicious activity at the earliest stages of an attack.

IOBs are about highlighting the attacker’s trajectory and intentions through analyzing chains of behaviors that, when examined together, are malicious and stand out from the background of benign behaviors on the network.

IOBs vs IOCs

As the Internet Engineering Task Force states, “Defenders frequently rely on Indicators of Compromise to identify, trace, and block malicious activity in networks or on endpoints.” IOCs are pieces of hard evidence left behind in a cyberattack, artifacts of forensics that we then ‘take to the lab’ and log for the next time an attacker comes our way. 

However, with over 350,000 new strains of malware detected per day and the rise of fileless and Living-off-the-Land attacks, this method is becoming increasingly insufficient. By the time you’re examining the evidence, it’s too late. 

As we saw in the SolarWinds attack, IOCs just aren't cutting it when it comes to real-time detection and prevention of novel, never before seen attack progressions. The malicious code used in the SolarWinds attacks was surreptitiously included in a legitimate software update signed by a valid digital certificate, making the attack extremely difficult to detect using traditional methods. 

In a previous blog, Sam Curry stated that bad actors who know what they’re doing “uniquely compile their code to make sure it doesn’t match with any known file hashes or malware signatures out there, rendering IOCs ineffective for detection and impossible for signature-based anti-malware solutions to provide sufficient levels of protection across multiple organizations using the same indicators.” 

He continues, “not only that, but advanced attackers also commonly inject false artifacts into IOC databases in order to ratchet up the noise and thereby complicate organizations’ response efforts.” 

The takeaway here is in understanding that the key to early detection of advanced operations. As we saw with the SolarWinds attack, leveraging IOBs to level-up to a more efficient and effective Operation-Centric approach to detecting the whole of an attack as opposed to responding to individual, uncorrelated alerts that may or may not reveal key elements of the larger attack operation. 

Even when attackers are doing things that could be regarded as normal activity that one would expect to see on a network, when the actions and activities are chained, a pattern emerges that is divergent from the behavioral paths of authorized users and activities.

By examining all behaviors in relation to one another as opposed to individually–even those that appear harmless in isolation–IOBs can reveal a correlated plan of attack underneath. 

IOBs and the MITRE ATT&CK Framework

To better express the logic behind IOBs, let’s take a look at the MITRE ATT&CK framework. The MITRE ATT&CK framework is so useful because it reveals the art of what the bad guys do. How do hackers move through an environment? What tactics do they use? What are their techniques, and how can we know them the next time we see them? 

The real value in the ATT&CK framework is that it creates a taxonomy for Defenders to better describe the actions and activities of the adversaries, leading to better detections. The columns in the MITRE ATT&CK represent the tactics employed in an attack, and each box represents the techniques used to accomplish them.

These behavioral patterns might seem insignificant on the surface when observed in isolation, but if examined together as chains of behavior they can provide early insights into the initial stages of an attack.  

Operationalizing IOBs

Operationalize Indicators of Behavior is all about instrumenting and collecting behavior at scale, and will require standardization that will deliver the full potential value of the entire security stack to quickly and autonomously deliver the necessary context and correlations across diverse telemetry sources.

It will require the development of a common, extensible format for IOBs that can keep us all on the same page, yet is capable of scaling as our capabilities and those of our adversaries continue to evolve. It will also require collecting both good and bad behavior at scale regardless of solution or asset class and codifying the data structures that will enable automation of machine language queries.

As an industry, we need to shift away from our reliance on artifacts that only describe what already happened and move towards leveraging the Indicators of Behavior that reveal what is happening in real-time in order to predictively respond to prevent the next steps of an attack progression long before it can escalate to a major security event. 

An Operation-Centric approach that leverages IOBs empowers security operations to dynamically adapt and predictively respond more swiftly than attackers can modify and adjust their tactics to circumvent defenses, which is key to finally reversing the adversary advantage and returning the high ground to the Defenders.

Cybereason is dedicated to teaming with defenders to end attacks on the endpoint, across the enterprise, to everywhere the battle is taking place. Learn more about Cybereason AI-driven XDR here or schedule a demo today to learn how your organization can benefit from an Operation-Centric approach to security.