Atomic, Computed, & Behavioral Indicators of Compromise (IoCs)
An indicator of compromise (IoC or IOC) is evidence of a past security incident; evidence that a system or network may have suffered unauthorized access by malware or a human. IoCs are used by DFIR, IR, CTI, threat hunters, and other defenders to study attacks.
The Lockheed Martin paper Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains divided IoCs into 3 types: atomic, computed, and behavioral.
Atomic IoCs are named as such because they can’t be broken into smaller parts while retaining their meaning (similar to the context of atoms in chemistry).
Examples: IP addresses, email addresses, vulnerability identifiers, hostnames, process names, file names, text strings, domain names.
Computed IoCs are based on data from incidents.
Examples: hash values, regular expressions.
Behavioral IoCs are descriptions of how atomic and computed IoCs were used in a compromise. They’re the tactics, techniques, and procedures (TTPs) (modus operandi) of the threat actor involved in a compromise. They’re more commonly referred to as TTPs than IoCs.
- The threat actor sent a Word file with a malicious macro.
- The threat actor used a backdoor which generated network traffic matching [regular expression] at the rate of [frequency] to [IP address].
- The threat actor sent multiple social engineering emails to sales employees to gain a foothold in the network, then made unauthorized remote desktop connections to other computers on the network.
- The threat actor used IP addresses in [country A] to relay email through [country B] to target our HR staff with Trojaned Word docs about COVID policies, which drop backdoors that communicate with [IP address].
Pyramid of Pain
The types of IoCs differ in their value to defenders, which I explain in more detail in my post about the Pyramid of Pain.
Key Requirements for the Detection and Sharing of Behavioral Indicators of Compromise
Cyber threat intelligence feeds the focus on atomic and computed indicators of compromise. These indicators are the…
Security Intelligence: Attacking the Cyber Kill Chain
Coming in much later than I'd hoped, this is the second installment in a series of four discussing security…
IOC are dead, long live IOC!
An indicator of compromise (IOC) can be defined as a piece of information that can be used to identify a potential…