What is an Indicator of Attack (IOA) and why is it necessary to take an IOA-based detection and prevention approach when dealing with advanced adversaries?
Unlike Indicators of Compromise (IOCs) used by legacy endpoint detection solutions, IOAs focus on detecting the intent of what an attacker is trying to accomplish, regardless of the malware or exploit used in an attack. Just like AV signatures, an IOC-based detection approach cannot detect the increasing threats from malware-free intrusions (see Malware-Free Intrusions blog) and zero-day exploits. As a result, next-generation security solutions are moving to an IOA-based approach pioneered by CrowdStrike.
Indicator of Attack – Physical World
One way to focus our discussion around Indicators of Attack (IOA’s) is to provide an example of how a criminal would plan and undertake to rob a bank in the physical world.
A smart thief would begin by “casing” the bank, performing reconnaissance and understanding any defensive vulnerabilities. Once he determines the best time and tactics to strike, he proceeds to enter the bank. The robber disables the security system, moves toward the vault, and attempts to crack the combination. If he succeeds, he pinches the loot, makes an uneventful getaway and completes the mission. IOA’s are a series of behaviors a bank robber must exhibit to succeed at achieving his objective. He has to drive around the bank (identifying the target), park, and enter the building before he can enter the vault. If he doesn’t disable the security system, it will alarm when he enters the vault and takes the money.
Of course, activities like driving around the bank, parking and entering the bank do not, on their own, indicate an attack is imminent. Moreover, opening a bank vault and withdrawing cash is not necessarily an IOA… if the individual is authorized to access the vault. Specific combinations of activity trigger IOA’s.
Indicator of Attack – Cyber World
Let’s examine an example from the cyber world. An IOA represents a series of actions that an adversary must conduct to succeed. If we break down the most common and still the most successful tactic of determined adversaries– the spear phish – we can illustrate this point.
A successful phishing email must persuade the target to click on a link or open a document that will infect the machine. Once compromised, the attacker will silently execute another process, hide in memory or on disk and maintain persistence across reboots of the system. The next step is to make contact with a command and control site, informing his handlers that he awaits further instructions.
IOAs are concerned with the execution of these steps, the intent of the adversary and the outcomes he is trying to achieve. IOA’s are not focused on the specific tools he uses to accomplish his objectives.
By monitoring these execution points, gathering the indicators and consuming them via a Stateful Execution Inspection Engine, we can determine how an actor successfully gains access to the network and we can infer intent. No advance knowledge of the tools or malware (aka: Indicators of Compromise) is required.
Comparing an IOA to an IOC
First we should provide a definition of an indicator of compromise (IOC). An IOC is often described in the forensics world as evidence on a computer that indicates that the security of the network has been breached. Investigators usually gather this data after being informed of a suspicious incident, on a scheduled basis, or after the discovery of unusual call-outs from the network. Ideally, this information is gathered to create “smarter” tools that can detect and quarantine suspicious files in the future.
In revisiting the bank robber analogy, imagine if we were only looking for IOC’s. In evidence from a previous robbery CCTV allowed us to identify that the bank robber drives a purple van, wears a Baltimore Ravens cap and uses a drill and liquid nitrogen to break into the vault. Though we try to track and observe these unique characteristics, his modus operandi (MO), what happens when the same individual instead drives a red car and wears a cowboy hat and uses a crowbar to access the vault? The result? The robber is successful again because we, the surveillance team, relied on indicators that reflected an outdated profile (IOCs).
Remember from above, an IOA reflects a series of actions an actor / robber must perform to be successful: enter the bank, disable the alarm systems, enter the vault, etc.
In the Cyber world, an IOC is an MD5 hash, a C2 domain or hardcoded IP address, a registry key, filename, etc. These IOCs are constantly changing making a proactive approach to securing the enterprise impossible. Because IOCs provide a reactive method of tracking the bad guys, when you find an IOC, there is a high probability that you have already been compromised.
IOA’s are the Real-time Recorder
A by-product of the IOA approach is the ability to collect and analyze exactly what is happening on the network in real-time. The very nature of observing the behaviors as they execute is equivalent to observing a video camera and accessing a flight data recorder within your environment.
Returning to the physical world, when a detective arrives on a crime scene and has a gun, a body, and some blood they usually ask to see if anyone has any video of what transpired. The blood, body, and gun are IOCs that need to be manually reconstructed and are point-in-time artifacts. Very simply put, IOAs provide content for the video logs.
In the Cyber realm, showing you how an adversary slipped into your environment, accessed files, dumped passwords, moved laterally and eventually exfiltrated your data is the power of an IOA.
Real-world Adversary Activity – Chinese Actor
CrowdStrike’s Intelligence Team documented the following example activity attributed to a Chinese actor. The following example does highlight how one particular adversary’s activity eluded even endpoint protections.
This adversary uses the following tradecraft:
- In memory malware – never writes to disk
- A known and acceptable IT tool – Windows PowerShell with command line code
- Cleans up logs after themselves leaving no trace
Let’s explore the challenges that other endpoint solutions have with this tradecraft:
Anti-Virus – since the malware is never written to disk, most AV solutions set for an on-demand scan will not be alerted. On-demand scanning is only triggered on a file write or access. In addition, most proactive organizations perform a full scan only once a week because of the performance impact on the end user. If defenders were performing this full scan, and if the AV vendor was able to scan memory with an updated signature, they may provide an alert of this activity.
AV 2.0 Solutions – these are solutions that use machine learning and other techniques to determine if a file is good or bad. PowerShell is a legitimate windows system administration tool that isn’t (and shouldn’t be) identified as malicious. Thus, these solutions will not alert clients to this behavior.
Whitelisting – Powershell.exe is a known IT tool and would be allowed to execute in most environments, evading whitelisting solutions that may be in place.
IOC Scanning Solutions – since this adversary never writes to disk and cleans up after completing their work, what would we search for? IOC’s are known artifacts and in this case, there are no longer artifacts to discover. Moreover, most forensic-driven solutions require periodic “sweeps” of the targeted systems, and if an adversary can conduct his business between sweeps, he will remain undetected.
In conclusion, at CrowdStrike, we know that our clients have adversary problems, not malware problems. By focusing on the tactics, techniques and procedures of targeted attackers, we can determine who the adversary is, what they are trying to access, and why. By the time you detect Indicators of Compromise, your organization has probably already been breached and may require an expensive incident response effort to remediate the damage.
By recording and gathering the indicators of attack and consuming them via a Stateful Execution Inspection Engine, you enable your team to view activity in real time and react in the present. Accessing your own network flight recorder avoids many of the time-consuming tasks associated with “putting the pieces together” after the fact. Providing first responders with the tools necessary to reconstruct the crime scene provides a cost-effective and proactive approach to confronting advanced persistent threats.
Interested in learning more? Check out CrowdStrike’s Next-Generation Endpoint Protection solution, CrowdStrike Falcon, in action on December 17th. Register now for a live demo and see an IOA-based detection and prevention approach at work.