Innovating Earlier Detection Capabilities Leveraging Indicators of Behavior


By Sam Curry, Chief Security Officer

Today, we have the opportunity to focus on innovation in advancing the development of more effective early detection capabilities. To do so, we need to look beyond tools that only leverage retrospective Indicators of Compromise (IOCs), as this artifact-based approach obviously failed to detect the SolarWinds attacks and more.

Attackers are more often appling unique TTPs tailored to individual targets, so we can no longer expect the IOC artifacts from one attack detected within one organization’s environment to be an effective means to detect and prevent novel attacks in another organization’s environment.

Instead, we need to look to behavior-based approaches that can detect the rare and advantageous chains of behavior that lay the foundation for the most complex attacks. We need to shift away from our reliance on known artifacts and move towards leveraging ndicators of Behavior (IOBs), the more subtle chains of activity that can surface an advanced attack long before it can escalate to a major security event.

Alerts are useful for identifying an element of an attack at a specific point in time, but they are far less effective in actually surfacing the entirety of an attack operation without a good deal of manual investigation and assessment.

For example, an alert may indicate the presence of a malware implant on a particular machine, where the machine can be isolated and the malware infection remediate—but successfully mitigating malware on one or more devices is equivalent to detecting and disrupting the entire attack operation, identifying root cause, hardening the infection vector, interrupting command and control (C2), eliminating persistence mechanisms, and so on. An alert-centric approach is akin to stopping the nosebleed while overlooking the brain tumor.

An operation-centric approach, on the other hand, seeks to quickly correlate all aspects of the attack sequence across disparate assets where event telemetry from each is largely subjective until it can be evaluated in the context of all available telemetry to arrive at an objective assessment that provides deeper visibility into an attacker’s actions and activities.

Thus, an operation-centric approach can deliver detection and response automation at scale by leveragingIOBs to surface the entire malicious operation at its earliest stages, allowing for a predictive response capability and more comprehensive remediation that our current reliance on retrospective Indicators of Compromise can never deliver.

The Cybereason Data Science, Threat Research and Engineering teams are pioneering the study and application of Indicators of Behavior for faster, more comprehensive and more readily actionable detections that inform and drive predictive response capabilities and reduce risk for organizations by identifying and disrupting attacks earlier in the the kill chain.

Cybereason is dedicated to teaming with Defenders to end ransomware attacks on the endpoint, across the enterprise to everywhere the battle is taking place. Talk to a Cybereason Defender today to learn more about how your organization can benefit from an operation-centric approach to security.

Sustaining Partners