IOA VS IOC

What is an Indicator of Attack (IOA)?

Indicators of attack (IOA) focus on detecting the intent of what an attacker is trying
to accomplish, regardless of the malware or exploit used in an attack. Just like AV
signatures, an IOC-based detection approach cannot detect the increasing threats
from malware-free intrusions and zero-day exploits . As a result, next-generation
security solutions are moving to an IOA-based approach pioneered by CrowdStrike.

What is an Indicator of Compromise (IOC)?

An Indicator of Compromise (IOC) is often described in the forensics world as
evidence on a computer that indicates that the security of the network has been
breached. Investigators usually gather this data after being informed of a suspicious
incident, on a scheduled basis, or after the discovery of unusual call-outs from the
network. Ideally, this information is gathered to create “smarter” tools that can
detect and quarantine suspicious files in the future.
Indicator of Attack – Physical World
One way to focus our discussion around Indicators of Attack (IOA’s) is to provide an
example of how a criminal would plan and undertake to rob a bank in the physical
world.

A smart thief would begin by “casing” the bank, performing reconnaissance and
understanding any defensive vulnerabilities. Once he determines the best time and
tactics to strike, he proceeds to enter the bank. The robber disables the security
system, moves toward the vault, and attempts to crack the combination. If he
succeeds, he pinches the loot, makes an uneventful getaway and completes the
mission. IOA’s are a series of behaviors a bank robber must exhibit to succeed at
achieving his objective. He has to drive around the bank (identifying the target),
park, and enter the building before he can enter the vault. If he doesn’t disable the
security system, it will alarm when he enters the vault and takes the money.

Of course, activities like driving around the bank, parking and entering the bank do
not, on their own, indicate an attack is imminent. Moreover, opening a bank vault
and withdrawing cash is not necessarily an IOA… if the individual is authorized to
access the vault. Specific combinations of activity trigger IOA’s.

Indicator of Attack – Cyber World

Let’s examine an example from the cyber world. An IOA represents a series of
actions that an adversary must conduct to succeed. If we break down the most
common and still the most successful tactic of determined adversaries – the spear
phish – we can illustrate this point.

A successful phishing email must persuade the target to click on a link or open a
document that will infect the machine. Once compromised, the attacker will silently
execute another process, hide in memory or on disk and maintain persistence
across reboots of the system. The next step is to make contact with a command and
control site , informing his handlers that he awaits further instructions.

IOAs are concerned with the execution of these steps, the intent of the adversary
and the outcomes he is trying to achieve. IOA’s are not focused on the specific tools
he uses to accomplish his objectives.
By monitoring these execution points, gathering the indicators and consuming them
via a Stateful Execution Inspection Engine, we can determine how an actor
successfully gains access to the network and we can infer intent. No advance
knowledge of the tools or malware (aka: Indicators of Compromise) is required.
Comparing an IOA to an IOC
In revisiting the bank robber analogy, imagine if we were only looking for IOC’s. In
evidence from a previous robbery CCTV allowed us to identify that the bank robber
drives a purple van, wears a Baltimore Ravens cap and uses a drill and liquid
nitrogen to break into the vault. Though we try to track and observe these unique
characteristics, his modus operandi (MO), what happens when the same individual
instead drives a red car and wears a cowboy hat and uses a crowbar to access the
vault? The result? The robber is successful again because we, the surveillance
team, relied on indicators that reflected an outdated profile (IOCs).

Remember from above, an IOA reflects a series of actions an actor / robber must
perform to be successful: enter the bank, disable the alarm systems, enter the vault,
etc.

IOA’s are the Real-time Recorder

A by-product of the IOA approach is the ability to collect and analyze exactly what is
happening on the network in real-time. The very nature of observing the behaviors
as they execute is equivalent to observing a video camera and accessing a flight
data recorder within your environment.
Returning to the physical world, when a detective arrives on a crime scene and has
a gun, a body, and some blood they usually ask to see if anyone has any video of
what transpired. The blood, body, and gun are IOCs that need to be manually
reconstructed and are point-in-time artifacts. Very simply put, IOAs provide content
for the video logs.

In the Cyber realm, showing you how an adversary slipped into your environment,
accessed files, dumped passwords, moved laterally and eventually exfiltrated your
data is the power of an IOA.

IOA Real World Example – Chinese Actor

CrowdStrike’s Intelligence Team documented the following example activity
attributed to a Chinese actor. The following example does highlight how one
particular adversary’s activity eluded even endpoint protections.

This adversary uses the following tradecraft:

 In memory malware – never writes to disk

 A known and acceptable IT tool – Windows PowerShell with command line code
 Cleans up logs after themselves leaving no trace

Let’s explore the challenges that other endpoint solutions have with this tradecraft:

Anti-Virus – since the malware is never written to disk, most AV solutions set for an
on-demand scan will not be alerted. On-demand scanning is only triggered on a file
write or access. In addition, most proactive organizations perform a full scan only
once a week because of the performance impact on the end user. If defenders were
performing this full scan, and if the AV vendor was able to scan memory with an
updated signature, they may provide an alert of this activity.
AV 2.0 Solutions – these are solutions that use machine learning and other
techniques to determine if a file is good or bad. PowerShell is a legitimate windows
system administration tool that isn’t (and shouldn’t be) identified as malicious. Thus,
these solutions will not alert clients to this behavior.

Whitelisting – Powershell.exe is a known IT tool and would be allowed to execute

in most environments, evading whitelisting solutions that may be in place.

IOC Scanning Solutions – since this adversary never writes to disk and cleans up
after completing their work, what would we search for? IOC’s are known artifacts
and in this case, there are no longer artifacts to discover. Moreover, most forensic-
driven solutions require periodic “sweeps” of the targeted systems, and if an
adversary can conduct his business between sweeps, he will remain undetected.

By focusing on the tactics, techniques and procedures of targeted attackers,

CrowdStrike can determine who the adversary is, what they are trying to access,
and why. By the time you detect Indicators of Compromise, your organization has
probably already been breached and may require an expensive incident response
effort to remediate the damage.

By recording and gathering the indicators of attack and consuming them via a
Stateful Execution Inspection Engine, you enable your team to view activity in real
time and react in the present. Accessing your own network flight recorder avoids
many of the time-consuming tasks associated with “putting the pieces together”
after the fact. Providing first responders with the tools necessary to reconstruct the
crime scene provides a cost-effective and proactive approach to confronting
advanced persistent threats.

Interested in learning more about the IOA approach? Read our article on how
CrowdStrike leverages Event Stream Processing (ESP) to detect malicious
behavior.