Security Operations Centers (SOCs) are the cornerstone in the fight against cybercrime in any large organization. They are the main security barrier for both private and public companies. This is why they need the most advanced technologies possible.
But the fight against cybercriminals isn’t simply a question of technology. Having a strategic attitude, or at least a strategic standpoint against possible attacks is also key. This is where we see two essential concepts that help, to a greater or lesser extent, all SOCs: IoCs (Indicators of Compromise) and IoAs (Indicators of Attack). What is the difference? Are they exclusive or complementary? When are they used? Which are more decisive? Below, we analyze the two concepts.
IoCs (Indicators of Compromise)_
IoCs are the indicators that identify an attack or a vulnerability found on a computer once the breach has already conclusively taken place. That is, they are used to diagnose a security problem that has just happened within the internal processes of an organization’s IT system. It is the evidence that a security breach has happened.
In this regard, IoCs are used to identify files or behaviors that have previously been classified as malicious: a phishing email, a malware file, a data breach, an IP address related to cybercrime, and so on. IoCs are therefore useful for companies to analyze the damage after an incident and to react, either by eliminating the danger, or at least mitigating its effects.
IoCs can also be useful for companies that need to accurately diagnose what has happened in order to know exactly where the problem lies after they have suffered an attack or a vulnerability.
IoAs (Indicators of Attack)_
IoAs have a different philosophy to IoCs. When reacting to something like a vulnerability that has already been implemented, IoAs have a proactive philosophy. In other words, they don’t intervene when the attack has already happened, but rather when it is taking place, or even before it can become a real threat.
IoAs cover the gaps left by IoCs: they alert of any attempted attack, regardless of what method was used to evade the company’s security system. That is, it allows attacks that don’t require malware, such as LotL (Living-off-the-Land) attacks, to be identified. These indicators are the result of the work carried out jointly by the most advanced cybersecurity solutions and threat hunting teams. These teams investigate and analyze the activities of IT system processes in detail, looking for anomalous behaviors, or behaviors that, may represent dangers to the organization’s security. If they are detected, IoAs allow organizations to act before the vulnerability can be exploited and before the damage has become definitive.
The key is proactivity_
The question is clear: Which is more effective for protecting an organization’s cybersecurity, IoCs or IoAs? Both techniques are necessary, and complement each other. However, one thing is clear: the proactive approach of IoAs will always go one step further when it comes to avoiding security incidents.
IoCs are used in investigations once the damage has begun, whereas IoAs are part of a prior investigation and draw from a position of cyber-resilience. The problem is that most cybersecurity solutions limit themselves to IoCs when analyzing, detecting, and mitigating cyberattacks. As a consequence, their actions against cybercrime will only be effective after the fact, once the damage is done. Furthermore, some cyberattacks, such as those that use fileless malware, cannot be detected simply with IoCs. As such, the profiling and definition process that IoAs implies becomes vital for protecting corporate cybersecurity.
“The Cytomic Threat Hunting Services analyze and profile all behaviors in real time, investigating and certifying all the processes taking place on the IT system, searching for possible anomalies. These services, based on our solution Cytomic Orion, are highly proactive, and are an effective technology-service binomial when it comes to protecting large companies from advanced threats,” explains Pedro Viñuales, VP Global Presales at Cytomic. “This means that we are able to eliminate any room for manoeuver, and the threat is eliminated before it can cause any damage. The IoAs used by ORION are thus enormously helpful for cybersecurity teams in large companies that need advanced cybersecurity strategies to avoid any kind of cyberincident,” says Viñuales.
The conclusion is clear: IoCs are useful and very necessary, but any company interested in proactilvey protecting its cybersecurity must focus on developing investigation strategies based on IoAs in order to eliminate the danger before it becomes a real incident.