Contact Us
Blog

Indicators of Behavior: A Shift to Cyber Resilience

indicators of behavior puzzle

Cybersecurity teams assume that once there is a match between an Indicator of Compromise (IoC) and the generated logs, they will be able to successfully detect a potential threat. Wrong.

Businesses have arguably seen more advanced cyberattacks in the last 12 months than in the last 12 years, bringing new and urgent task for cybersecurity teams to advance their threat hunting capabilities. For information security teams across the globe, this metaphor has come to embody the threat hunting challenge they want to counter: “efficient use of IoCs for detecting incidents.”

What’s better than the use of IoCs, anyway? IoBs. Indicators of Behavior is the behavioral telemetry and analytics methodology that adds context to threats in real-time. One might wonder, considering the nature of IoBs focused on the behavior of attackers, how is there a chance for cybersecurity teams to leverage IoBs to counter supply-chain attacks. This article is all about IoBs and the extent to which they can be a great way to hunt down threats in real-time.

NOTE: We are not recommending making a choice between IoCs or IoBs for detection and response purposes. This article discusses major distinctions between IoCs and IoBs, and new approaches of how IoBs can act as a supplement for existing MDR solutions to transform from a reactive to preventive mode. While many restrict the use of IoBs to the detection of insider threats, this article opens the doors of possibilities in using IoBs for hunting advanced threats and attacks. Ultimately, this article reflects on notable ways of adopting advanced technologies such as AI to build cyber resilience.

Indicators of Behavior vs. Indicators of Compromise

While IoCs are pre-recorded, static artifacts that signal threats on a network through a mix and match approach, IoBs are the behavioral particulates of different components of the complete infrastructure that determine the context and intent of a threat.

IoCs are identified in the form of IP addresses, domain names of botnet command and control servers, and file hashes, or other properties of an environment that describe the risk factor involved.  MITRE’s Structured Threat Information eXpression project, STIX™, sponsored by the Department of Homeland Security, specifies common attack patterns and Indicators of Compromise that serve as a useful tool for many businesses to detect threats.

On the other hand, IoBs are dynamic digital impressions and identifiers that monitor the interaction of foreign bodies with host systems or networks. From a threat detection and awareness perspective, IoBs help add context to the detections. To understand it better, ask yourself the following questions: Which stage of the attack have we detected? Has the attacker already established foothold? IoBs help you with answers to these questions. They also help you understand the behavior of potential cyberattackers.

Differences between working models of IoCs and IoBs

IoCsIoBs
Anomalies in Privileged User Account ActivityUnusual Updates in Vendor Software
Large Numbers of Requests for the Same FileInteractions with Unchecked Code Repositories
Mismatched Port-Application TrafficIncrement of Users on Emulated or Virtualized Systems
Unusual Outbound Network TrafficInternal-External Host Communication Distracted
Indicators Of Compromise Working ModelIndicators Of Behavior Working Model

In a hypothetical situation, entry point of a malware can be frequently changed by attackers for de-obfuscated malicious executable. In such cases with iterated obfuscation, IoCs alone won’t be effective for threat intelligence. Moreover, the use of IoCs have been a pose of challenge for cybersecurity teams due to the high rate of false positives and outdated indicators.

Tools and skills required for using Indicators of Behavior in threat hunting process

IoBs emphasize on the left side of a cyber kill chain. So, how far companies are ready to stretch their knowledge base very much will illustrate their readiness to adopt the IoB approach for threat hunting. Sophisticated adversaries are trying to mutate almost every recon strategy of the past. So, the next attack might not be one from the holy book of IoCs.

Unlike rule-based models, Indicators of Behavior take on a new approach of studying dynamic heuristics that takes into account all the interaction or information effects of foreign bodies with host networks. Therefore, in practice, IoBs can be a part of the telemetry unit that forms a major part of the threat intelligence, and detection and response services. While it may require a greater level of effort to elevate the coverage of behaviors that can possibly be a pose of threat, a machine learning model with the right datasets may prove far effective.

Tools, techniques and software used for detecting threats can be introduced with a catalogue of behaviors that respond to K-nearest neighbor (KNN) classification algorithm for multidimensional attack vectors. Ultimately, IoBs would be assumptions, attitudes, perceptions, values, and knowledge from forensic investigations that indicate potential threats in a network.

SISA Dhi

The award-winning reverse engineered forensics threat hunting process automated using inhouse developed machine learning Algorithm, SISA Dhi can help you find the true positives with assisted human intelligence.

 

 

 

 

Benefits of using IoBs for threat hunting

In most cases, the inclusion of IoBs in threat hunting has proven to reduce the number of false positives dramatically. However, following are a few advantages of leveraging IoBs along with other threat intelligence channels such as CVEs, IoCs, or risk scores.

Move Left of BreachPrioritize Risk
  • Anticipate and predict malicious activity
  • Decrease instances of flagging IoCs
  • Early identification of risks
  • Analyze attackers on the surface in real-time
  • Provide context to threats
  • Accelerate time to detection
  • Focus on high-risk entities and not alert triage
  • Enables continuous risk assessment for proactive incident response
  • Automate response for risk-levels

 

 

 

 

 

 

Scope and applicability of Indicators of Behavior for threat hunting

Indicators of Behavior is not based on the interpretation of empirical data. Therefore, it is easy for analysts to derive practical scenarios of using IoBs for threat hunting.

Following are a few use cases of the same:

  • Insider Threats Identification
  • Compromised Device Detection
  • Data Leakage Prevention
  • Incident Prioritization
  • Endpoint Risk & Health
  • Entity Analytics – IoT

Using Indicators of Behavior as a starting point to identify threats is a hard job. Yet an ignition of the concept, with the pervasive threat intelligence tools, is crucial for fighting tomorrow’s advanced cyberattacks. Only a few businesses aware of their cybersecurity posture are making an attempt to adopt next-gen technologies for cybersecurity. Those businesses have, knowingly or unknowingly, leveraged IoBs as a key tool to build cyber resilience.

Recent Blogs

SISA logo in white

SISA is a global forensics-driven cybersecurity solutions company, trusted by leading organizations for securing their businesses with robust preventive, detective, and corrective cybersecurity solutions. Our problem-first, human-centric approach helps businesses strengthen their cybersecurity posture.

Industry recognition by CREST, CERT-In and PCI SSC serves as a testament to our skill, knowledge, and competence.

We apply the power of forensic intelligence and advanced technology to offer true security to 2,000+ customers in 40+ countries.

Company

Services

Resources

Quick Links

Connect with us

Copyright © 2024 SISA. All Rights Reserved.
SISA’s Latest
close slider

Webinar

Webinar: ANAB accredited certification, Jan 2024, cover image

ANAB Accredited Certification: A Catalyst for Professional Excellence in Payment Security

Webinar: ANAB accredited certification, Jan 2024, cover image

ANAB Accredited Certification: A Catalyst for Professional Excellence in Payment Security

Whitepaper

Bridging the cybersecurity skill gap in payments industry through accredited training - Banner

The Tipping Point: Bridging the Cybersecurity Skill Gap in the Payments Industry Through Accredited Training

Events

SISA Reimagines Cybersecurity with MXDR at RSA 2024

News Room

DSCI and SISA unveils cyber report on ‘MXDR – A New Paradigm for Cyber Defense’

Infosec Report

SISA-DSCI ProACT MXDR Report launch 2024

Blog

The Critical Role of Accredited Certification in Payment Security

Weekly Threat Watch

Raspberry Robin resurfaces with WSF file campaign

Case Study

SISA helps a global electronic payment provider strengthen risk management and compliance

Sign up for SISA's Daily
Threat Watch Advisory
Subscribe now!