Cyberresilience, IOCs, and IOAs

Studying the terrible events of the July 4, 2021 weekend and what happened to Kaseya in the ransomware attack is instructive. In particular the reference in their blog post regarding how they needed to determine IOCs, or “Indicators Of Compromise”, caught my attention. It took me down a rabbit hole to 2013 and a post on Fireeye’s blog on the concept of “OpenIOC” and an attempt to imagine a standard format for compromise indicator recording and dissemination. The site openioc.org no longer exists, but it’s instructive to see what folks were thinking back then via the Wayback Machine. It’s an entire network of schemas that were relevant back then in 2013 — I imagine it still drives a lot of thinking today. I found a list of 15 that is useful to note:

  • Anomalies in privileged user activity
  • Red flags in login activity
  • Unexpected DNS requests
  • Web traffic that doesn’t look human, or “inhuman behavior”
  • Unusual outbound traffic
  • Geographic abnormalities in traffic
  • Increased DB read volume
  • Unusual HTML response sizes
  • Mobile profiles that are odd
  • DDoS activity evidence
  • Databundles getting misplaced
  • Unusual port activity
  • Unusual number of request for a file
  • Unusual register or system file changes
  • Patches happening abruptly

There’s also a notion of an IOA (Indicator Of Attack) versus an IOC (Indicator Of Compromise). IOCs are about detection; whereas IOAs are about understanding intent. IOAs follow a common execution path:

  1. Reconnaissance
  2. Weaponization
  3. Delivery
  4. Exploitation
  5. Installation
  6. Command & Control
  7. Lateral Movement

The difference makes a little more sense in table form:

IOCIOA
Reactive Indicator of CompromiseProactive Indicator of Attack
Malware, Signatures, Exploits, Vulnerabilities, IP AddressesCode Execution, Persistance, Stealth, Command Control, Lateral Movement
via Crowdstrike.com