Indicators of Compromise Cannot Keep Firms Safe. Here’s What Will

For cybersecurity professionals, 2021 was not a good year. Cyber attacks against corporate networks increased by 50% last year. And in Q4 2021, an average firm experienced a whopping 925 attacks, according to research by Check Point. The fallout from security incidents like ransomware hurt millions of companies strategically, operationally, financially, and reputationally. 

One thing that might dull the pain for future cyber attack victims is a faster way to identify attacks in progress. When you know what an attacker is likely to do next, it is, after all, easier to stop them before they do significant damage or at least mitigate their impact. However, with the average time to detect and contain a breach now sitting at 287 days—a whole week longer than in 2020—spotting attacks in progress is getting more rather than less difficult.

To help companies detect attacks quicker, authorities like the FBI and NCSC frequently share technical details and indicators of compromise (IOCs) of attacks by prevalent cybercriminal groups. IOCs are essential clues to help defenders attribute attacks and know what to do next.  Following the SolarWinds hack, more than 6 in 10 information security professionals said knowing who the threat actors behind a data breach were gave them useful information for tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to watch out for. 

Yet, on their own, IOCs are not enough to keep organisations safe. Blending real-time and historical behavioural analysis with the MITRE ATT&CK framework, SenseOn goes beyond IOCs to create a powerful defensive response to advanced security threats. This kind of combined arms approach to defence is crucial in today’s out-of-nowhere threat landscape.

Follow the (Digital) Breadcrumbs 

Anytime there’s a malicious activity within a company’s IT environment, traces of it usually remain somewhere in their system or log files. Serving as red flags to potential intrusions, these traces create indicators of compromise (IOCs) that are useful as forensic data and signal to security teams that a breach has occurred or is underway. 

Examples of IOCs include, but are not limited to, IP addresses and domain names belonging to malware command and control servers and botnets, file hashes of known malware, unusual DNS requests, DDoS activity, and anomalies in privileged user accounts. When discovered by one organisation, new IOCs are frequently shared with others to assist in identifying malicious actions. 

With the help of IOCs, IT teams can look for suspicious activity within their company’s environment to detect and respond to cyber threats more accurately and quickly. IOCs can also help determine the severity of a cyber incident, which adversaries are behind it, what data and files were stolen, as well as in deciding where to focus incident response and mitigation, strengthening security posture, and preventing future attacks. 

IT professionals can either pull IOCs from the web manually and feed them into a security information and event management (SIEM) platform or set up a SIEM so that it automatically draws the latest IOCs from external (free or paid) threat intelligence services. 

Where IOCs Let Security Teams Down

Although useful in theory, IOCs are not without their limitations. According to Kimberly K. Watson of John Hopkins Applied Physics Laboratory, who in 2021 published a report titled “Deploying Indicators of Compromise (IOCs) for Network Defence,” many SOCs neglect IOC feeds. This is because these feeds are typically too voluminous and noisy and require extensive technical and human resources to get value from. 

As cybercrime surges, IOC databases are also growing increasingly massive. Commercialised feeds can now have endless streams of data points, and sorting through them is an enormous challenge for security tools and team members alike. Compounding this problem is the fact that by the time a threat shows up in a cyber threat intelligence feed, it is often out of date. Once they notice that unusual activities have been shared among defenders, criminals can immediately pivot to new methods. In a survey of threat intelligence feed users, over 56% felt that the intelligence information they received was stale within a timeframe that ranged from seconds to minutes. 

Because they rely on information shared from previous victims of a particular attack chain, IOCs can only provide protection against known threats. This means they cannot help organisations stop new, i.e., zero-day, attacks that have never been spotted in the wild before. With the number of zero-days more than doubling year on year, this is a growing weak point.

Moreover, not all IOCs are created equal. With millions of IOCs sometimes coming through threat intelligence feeds in a matter of minutes, prioritising them is vital—yet something that few organisations do. 

In his “Pyramid of Pain” concept introduced in 2013, the cybersecurity researcher David J. Bianco noted the different types of indicators infosec professionals could use to identify adversaries and how much pain they cause both security analysts and cybercriminals. 

Bianco noted how the higher up in the pyramid level the IOC, the harder for security teams to recognise them. But it’s also more difficult for criminals to change them. For example, spotting hash values of malicious files is easier than recognising the Tactics, Techniques, and Procedures (TTPs) that criminals use to compromise victims. For attackers, obfuscating malware code and changing the hash value is also easier than changing their TTPs.

So security tools that act against TTPs and stop attacks at a fundamental level can leverage more pain onto adversaries and stop attacks earlier.

Final Thoughts

There is significant debate in the cybersecurity community over whether IOCs are or are not a valid security resource. What is certain is that, used on their own or out of context, IOCs cannot provide the kind of data defenders need to reliably stop threats from compromising their networks. 

SenseOn sidesteps this problem altogether. Our platform uses machine learning and next-generation behavioural analysis to pull together a picture of what normal network activity looks like and automatically flag activities and behaviours that deviate from it. 

Crucially, SenseOn maps any threats it finds to the MITRE ATT&CK framework and, when threats are false alarms, uses automation to deal with them on its own, saving organisations both time and resources.

Sign up to our newsletter

Join thousands of like-minded professionals who are already 
receiving our blog updates and best practice guides.