Indicators of compromise (IOCs) are pieces of contextual information discovered in 法医分析 这可以提醒分析师注意过去/正在进行的攻击、网络破坏或恶意软件感染. These unique clues – or artifacts – are often seen as maliciously used IP addresses, url, 域, 或散列. 它当然有助于提醒IOC,以便您知道可能出现了错误, but very often IOCs lack context that can empower a 安全运营中心(SOC) to prioritize 和 act quickly to secure a breach.
Although use of the acronym IOC is widespread in the cybersecurity community, “妥协迹象”这个短语通常指的是任何类型的威胁情报,可能表明一些不同寻常的事情. In addition to those mentioned above, scenarios typically identified by an IOC include changes in network traffic, ransomware攻击, or 身份和访问管理(IAM) 异常.
当系统用超出正常基线范围的活动向自身发出信号时, 上下文信息可以帮助团队定义潜在攻击的类型,并改进安全操作,如反恶意软件程序和设备, 改动 SIEM configuration, 和 conduct more thorough 和 efficient investigations.
事实上, 根据Forrester, 许多网络安全供应商现在正在将IOC安全情报馈送到许多企业功能中. 这有助于在安全工具中本地发现IOC,而不是使用单独的IOC提要.
The process for identifying IOCs is a process of poring through analytics 和 威胁情报 to identify anomalous behaviors that could be nefarious – or could be nothing at all. 同样,分析师和调查人员需要在很大程度上依赖背景来取得重大进展.
也就是说, 并非所有识别即将达成妥协的早期指标的过程都是相同的,甚至是相似的. They’ll be business 和 use-case specific. Let’s take a look at some more common IOC identification methods:
Since IOCs are essentially clues that can – after some 数字取证 work – point to something nefarious, they can come in many shapes 和 sizes. Let's take a look at some examples of IOCs that can 和 should set off alarm bells:
There are several overlapping concepts between IOCs 和 indicators of attack (IOAs). 然而, 它有助于放大关键差异,以理解为什么分析师将问题定义为IOC或IOA.
We've spoken about artifacts previously, but it may help to add some context. Artifacts are usually historical in nature. They are digital footprints of a malicious event that has already occurred, 并且是通过表演被发现的 威胁狩猎 基于特定的智力. 安全分析人员和威胁猎人也可以利用外部构件库来熟悉在自己的网络中寻找什么.
在发现藏物并确定有潜在的破坏或持续的威胁之后, teams can put an incident response plan into action. The faster security practitioners can learn that a compromise has actually taken place, the faster they can determine what happened, 回应, 并且——希望——对未来要寻找的文物种类有更好的了解.
IOAs help keep attacks out of your organization’s history. They are signs that an attack could be imminent. With IOAs, teams are able to take more of an offensive stance, acting on extended detection 和 response (XDR) 随着攻击面进一步扩大,超越网络边界的威胁遥测.
解释正确, IOAs will not only help teams 回应 to future or in-progress breaches, they can also help predict what an attacker might do 和 where they might go next. 这对于根据目标系统和试图访问和/或泄露的数据确定响应和补救工作的优先级非常有帮助.
国际石油公司的好处有很多. 其中最主要的是,它们可以帮助公司修复漏洞,并可能提供有关攻击者行为类型的背景,以便在未来寻找. 让我们来看看其他几个:
国际石油公司对于有效的石油开采至关重要 管理检测和响应(MDR) 因为对于MDR提供商来说,能够在整个客户生态系统中识别ioc至关重要.
This helps the provider to spot trends in attacker behavior, build out net detections as IOCs are found, 定制事件响应计划, 并将这些信息传播给他们的客户群,以便这些单独的安全组织可以将IOC数据应用到他们自己的预防技术中.
对于MDR计划来说,考虑利用国际石油公司来通知违规响应所带来的效率提高和成本节约也很重要. Customer satisfaction is also a growth driver, 特别是在成功实施MDR提供商推荐的计划之后,或者在提供商自动测试ioc并将其应用于客户日志以在网络中出现这些指标时创建警报之后.
All of these aspects combine to help MDR providers retain customers, 改善自身运营, as well as strengthen the larger security community by sharing findings.