Behavior-based vs IOC-based Threat Detection Approaches: How to Prioritize?

Acore cybersecurity procedure usually includes running detection rules based on the Indicators of Compromise (IOCs). However, the latest trend is focused on the behavior-based detection approach. Let’s find out how both approaches differ and whether it makes any sense to prioritize one over another.

David Bianco created “Pyramid of Pain” – the diagram that shows the relationship between various indicators of attack and how much pain it will cause the adversary if these indicators are denied. The lower part of the pyramid consists of hash values, IP addresses, and domain names also known as IOCs which cause attackers less pain if detected.

In fact, another researcher Sam Curry says that they might deliberately bomb security systems with non-important IOCs so that the victims will miss the actual vector of attack. With that said, David Bianco and Sam Curry support the opinion that Tactics, Techniques, and Procedures (TTPs) are more advanced parts of the attack vector, which adversaries don’t want to lose.

So if a security operations center (SOC) is able to identify both IOCs and Indicators of Behavior (IOBs), the probability of intrusion will be minimized.

Proactive vs Reactive Hunting

Quite a few approaches can be executed to perform successful threat hunting. The most common two branches are reactive and proactive hunting.

Intel-based hunting is more of a reactive model, in which the data from intelligence-sharing platforms form the basis for further investigation. The detection rules are formed with the input from the lower part of the Pyramid of Pain, meaning IOCs, such as domain names, hashes, IP addresses, and networks or host artifacts.

Hence, these rules can hunt after such indicators were detected by someone and processed through threat intel sources. In other words, a similar attack happened in the past and now hunters are chasing the likewise triggers.

Instead, the proactive approach is based on hypotheses. The input data, in this case, include Indicators of Attack (IoA), Indicators of Behavior (IOBs), and TTPs. A hypothesis based on the behavior of users and/or entities allows checking if the attack is happening right now and is designed to be as close to real-time as possible.

Organizations striving to implement this strategy are often searching for cybersecurity vendors that can help them proactively identify the latest threats. For instance, SOC Prime’s Detection as Code platform provides a wealth of the most up-to-date behavior-based detections that can perfectly fit a proactive approach to cybersecurity.

Indicators of Compromise 

Digging deeper, IOCs comprises much more than just hashes and IP addresses. These forensic pieces of data help security analysts monitor systems for typical signs of potentially malicious activity. Some further examples are:

  • HTML response size
  • Unusual DNS requests
  • Unplanned system patching
  • Sudden system file changes
  • Increased database read volume
  • DDoS signs (excessive requests)
  • Mismatched port-application traffic
  • Uncommon outbound network traffic
  • Strange data bundles where they aren’t supposed to be.

Indicators of compromise act as red flags that help to detect early signs of attacks. Yet, it’s not enough to have a static list of the common IOCs and regularly run detection rules on its basis.

Cyber-attacks continuously grow in sophistication so it’s necessary to keep track of the emerging indicators and make sure that the proper detection rules are in place. Using tools like CTI.Uncoder.IO will help SOC engineers to generate IOC queries fast and easily, achieving maximum performance on the fly.

A new IOC could look as simple as a regular metadata element or as complex as an injected code that is hard to find among petabytes of the constantly flowing log data. Quite often, cybersecurity professionals need to look for certain correlations between various indicators of compromise, apply advanced analysis, and trace events before and after an attack to formulate an effective detection strategy.

On the other hand, behavior-based detections are possible to write with the help of SIGMA, a vendor-agnostic and generic language format, which makes it easy to develop and convert to multiple SIEM, EDR, and XDR solutions. Focusing on TTPs and behaviors, SOC engineers can write content for any data source or cybersecurity platform (SIEM, EDR, etc.), which can be instantly implemented and shared, similarly to the good old IOCs. 

Behavior-Based Detections

While IOCs are good for retrospective analysis, these indicators have a very short lifespan and SOC analysts want to rely on something more than just the evidence of previous attacks which expire soon after its detection. 

Even with just the right amount of retrospective hunting, organizations are still exposed to damage from more advanced cyber-attacks. That’s why SOC teams also apply behavior-based detections to be able to spot not-so-obvious intrusion patterns.

Additionally, hunting activities based on User and Entity Behavior Analytics (UEBA) are enhancing the security posture to get ahead of potential risks.

The proactive hunting model employs IOBs — cyber-behaviors of individuals and entities that are able to indicate whether something wrong is going on within the organization’s IT infrastructure. 

Basically, behavior is any action taken: 

  • Files — downloading, uploading, creating, deleting, saving, changing
  • Accounts — creating new accounts, altering passwords, logging in and out
  • Email — sending or forwarding emails, automating emails, sending attachments
  • Websites — accessing pages, sending requests, sending attachments, messaging, using tools
  • System administration — running queries, accessing stored data, executing code, exporting the results

All the behavior-based detections should not only be written and collected but also analyzed in a specific context to determine intent. Often it is reasonable to track the common behaviors over long periods of time and see if any suspicious changes occur.

Apart from monitoring systems in real-time, IOBs also help to extrapolate into the future and predict the outcomes of security process changes, such as what will happen if the company disables external storage devices like USB.

However, when writing behavior-based detections, security analysts need to be very careful in order to avoid high false-positive rates, since behavioral rules tend to be susceptible to more noise.

While behavioral rules need to be fine-tuned by experienced professionals and often require a different approach to analytics, they potentially bring a lot of value. The reason for that is simple —  such rules can detect even the unknown attacks, which aren’t displayed in intelligence sources and for which specific IOC-based rules simply don’t exist yet. 

Should You Choose Between the Two?

Overall, threat hunting is a complex process that requires using a number of specific tools, systems, and approaches to enable efficient operation and timely response. Successful threat hunters should always be one step ahead of attackers by having a fully visible network, employing intelligence, creating new detection rules, and exercising situational awareness.

When it comes to the choice between IOCs and behavior-based detections, it’s necessary to remember the benefits of both of these approaches. Instead of choosing just one, SOC analysts will benefit more from multi-level protection which includes both.

While IOCs will cover the basic security needs, behavior-based detections will operate on a higher level, breaking down TTPs into use cases, and use cases into actionable detection content. Eventually, tracking down forensic data is as important as preventing resemblant attack patterns that can be executed via different artifacts.

Related Posts