Next-Gen Indicators of Compromise (NG-IOC)
An Evolution for Cyber Threat Intelligence
Classic Indicators of Compromise (C-IOC) are based upon heuristic, static, “rules of thumb.” If a threat commonly uses a specific malicious file, for example, malware.exe, then it may be indicative of a specific threat. Unfortunately, the threats, especially the nation-state actors, typically obfuscate their true identities in cyberspace and make changes to their digital signature.
A common example is where threats add additional code to change their original file’s hash value. In the case of the example, malware.exe, adding two to three additional lines of code (or just meaningless ## comment lines) changes the file size by several kilobytes. The result is the original digital fingerprint, even though it is the exact same malicious code, no longer has the defined IOC digital hash value. It has changed, but the malicious file has not.
Other changes causing C-IOCs to be less-effective include the threat employing, for example, “spoofing” of their Internet Protocol (IP) addresses, using “The Onion Router”[1] (TOR) to hide their identity. TOR uses proxy servers across the globe to mask actual IP addresses and attribution.
Additional issues with C-IOC are that they are vulnerable (and useless) against zero-day exploits that the threats hold in reserve to attack high priority targets. The C-IOC provides a start but has been proving for years to be value-less in the identification of actual threats and confirmation of their attribution.
C-IOC can be categorized by Means, Motives, and Opportunities (MMO). Law enforcement and the intelligence community have attempted, with the aid of the private sector, to categorize and defend against cyber-threats. The following are examples of how C-IOC may be used:
- Identify Means (technical). This will include digital and technological signatures to isolate the culprit, organization, or nation.
- Malicious software hash values
- Embedded language (natural and programming)
- Biometric (keystroke, behavioral, etc.)
- Identify Motivations. What is driving the hacker to attack your network or IT environment?
- Financial
- Data
- Access
- Exfiltration
- Destruction
- Modification/Manipulation
- Establishing a “foothold” for future operations
- Denial of Services (DOS)
- Elevate privileges to access targeted data
- Attack reputation of the target
- Identify Opportunities. The most typical opportunity is through poor cyber-hygiene to include, e.g., not patching system and network infrastructures.
- Network vulnerabilities
- Zero-day exploits
- Physical vulnerabilities (“social engineering”)
What will better describe the next evolution of IOC? The Next Generation IOC (NG-IOC) will likely be occur due to the growth within the various fields of data science; these include artificial intelligence, machine learning, Artificial Neural Networks, Big Data, etc. The greater collection and processing capabilities of Big Data, for example, will create a more capable and responsive ability to detect and respond to threats. Threats will not be able to completely obfuscate and avoid identification with such expanded measures.
NG–IOC will be able to “deconstruct” the threat’s means. The NG-IOC will better analyze patterns quickly and access law enforcement and other databases to better correlate and attribute the threat. It will further include advancements in identifying threat motivations, and it will correlate entities that have in the past conducted like acts against like targets. It will include the use of predictive analytics to anticipate specific entities likely to be the actual threat. NG-IOC will also be able to identify past weaknesses and poor cyber-hygiene practices on the part of a company or agency and notify them how to respond accordingly.
However,
the real synergy will occur based upon the holistic application of data science
using machine learning and Artificial Neural Network (ANN) to analyze MMO collectively.
Data science promises to be able to glean specific actionable insights far
faster than any team of CTI analysts.
NG-IOC will ultimately provide key strengths:
the ability to provide both real-time and predictive analysis of the threat to
the Threat Hunting team.
Reference
[1] See https://en.wikipedia.org/wiki/Tor_(anonymity_network)
Ms. Columbus has worked in the Intelligence Community (IC) for over 20 years. She retired from the US Air Force in 2014 after working as a Senior Advisor providing authoritative advice on all aspects of Cyberspace operations, force structure and organizational concepts. She oversaw strategic support activities to enable the right mix of cyber capabilities for future operations.
