A core cyber security procedure typically includes the execution of detection rules based on Indicators of Compromise (IOCs). The most recent trend, however, is centered on the behavior-based detection approach. Let’s see how the two approaches differ and whether it makes sense to prioritize one over the other.
David Bianco created the “Pyramid of Pain,” a diagram that depicts the relationship between various indicators of attack and how much pain the adversary will suffer if these indicators are denied.
The lower part of the pyramid is made up of hash values, IP addresses, and domain names, also known as IOCs, which cause less pain to attackers if discovered.
According to another researcher, Sam Curry, they may deliberately bomb security systems with insignificant IOCs so that victims miss the actual vector of attack.
having said that, David Bianco and Sam Curry agree that Tactics, Techniques, and Procedures (TTPs) are more advanced components of the attack vector that adversaries do not want to lose.
So, if a security operations centre (SOC) can identify both IOCs and Indicators of Behavior (IOBs), the likelihood of intrusion is reduced.
Hunting: Proactive vs. Reactive
There are numerous approaches that can be used to perform successful threat hunting. The two most common types of hunting are reactive and proactive hunting.
Intel-based hunting is a more reactive model, with data from intelligence-sharing platforms serving as the foundation for further investigation.
The detection rules are built using input from the Pyramid of Pain’s lower level, which includes IOCs such as domain names, hashes, IP addresses, and network or host artefacts.
As a result, these rules can hunt after such indicators have been detected and processed by threat intelligence sources. In other words, a similar attack happened in the past and now hunters are chasing the likewise triggers.
The proactive approach, on the other hand, is founded on hypotheses. In this case, the input data consists of Indicators of Attack (IoA), Indicators of Behavior (IOBs), and TTPs.
A hypothesis based on user and/or entity behaviour allows checking to see if the attack is happening right now and is intended to be as close to real-time as possible.
Organizations attempting to implement this strategy are frequently looking for cybersecurity vendors who can assist them in proactively identifying the most recent threats.
For example, SOC Prime’s Detection as Code platform offers a plethora of cutting-edge behavior-based detections that are ideal for a proactive approach to cybersecurity.
To read our blog on “Lahore may outlaw vehicles and bicycles on MM Alam Road,” click here.