Most threat intelligence is shared as Indicators of Compromise (IOCs), or artifacts on a system or network that signal malicious activity. IOCs are the fingerprints left behind at the crime scene of a cyberattack. They are valuable when preventing known malware, but over 350,000 new strains of malware are detected every day, and fileless malware attacks are on the rise.

Further, we are seeing an increase in targeted attacks against those affected by COVID-19 and a simultaneous shift to a remote workforce, making this an even more complex and immediate issue. Many organizations can’t sit and wait for someone else to discover a new attack; they need shared threat intel that will inform them before an attack happens. IOCs are no longer a sufficient standalone method for defense, and attackers have long since outmaneuvered them. Something that has more persistence and can track activity after the inevitable defeat of prevention is required.

Tackling the Top of the Pyramid

We have seen that IOCs are able to tackle the base of the Pyramid of Pain, addressing the gamut of hash values, IP addresses, domains and more. The industry has these covered and should continue to. However, we still need to address the Tough! problem of TTPs, which largely lack an innovative solution. Perhaps it is because the industry has developed such an ecosystem around IOCs that we struggle with addressing the top of the pyramid, but it doesn’t change the need for innovation.

The Need for a New Approach Now

What we need is an approach that allows the defender community to share threat intelligence in a way that prepares for the future, not the past. This is where Indicators of Behavior (IOBs) become an important building block for future-proof SecOps. It’s especially relevant during this time of change; attacks are on the rise, and your new, expanded perimeter is all the more vulnerable and uncertain.

The data collected to identify IOBs is not inherently good or bad. Everything must be collected in order to properly interpret and decide whether a behavior is truly malicious: from process spawning to privilege escalation, to registry alterations, to network connections.

IOBs are dynamic; they describe the approach an attack takes, rather than a static output. They are the witness at a crime scene of a cyberattack: they couldn’t necessarily see the adversaries face, but they saw what the adversary did. They are the set of behaviors, independent of tools or artifacts, that describe an attack.

Reporting on and sharing malicious behavior with the community is a more contextualized and high-efficacy approach to describing an attack, which is what we need in the current environment. The real beauty of IOBs is in the chaining; eventually any sequence of behavior will peel the good from the bad.

But How Can This Help Right Now?

IOBs add initial complexity to community-wide communication: sending an IOB isn’t as simple as sending a hash or IP address to block. However, the return on investment has the potential to be much greater.

Frameworks like MITRE ATT&CK are already putting this to the test. MITRE ATT&CK lists out common adversary groups and the behaviors they have during an operation, very similar to how an IOB is structured. This is information you can apply in your environment right now. Hunt for the threats that are known to target your industry and see how your new, expanded perimeter is impacted.

IOCs and IOBs Together

None of this is to say throw out IOCs. IOCs and IOBs are meant to work together; no one solution is ever enough. In fact, they exist on the same continuum. We are instead looking at the TTP end of the spectrum and exploring the telemetry, syntax, protocols, data stores and discoveries that lie at a thus far underdeveloped domain. For the here and now, take this opportunity of remote work to test your defenses with IOBs and find the gaps that always come from a big shift like this.

Contributors: