Categories
Guide Types of Attacks

What are indicators? What is Indicator lifecycle in cybersecurity? 

What are indicators? What is Indicator lifecycle in cybersecurity? 

Understanding threats and how hackers work is critical to stay two steps ahead of them. Every adversary works on a limited set of resources, tools, techniques, etc.  

It is improbable that they have an infinite set of resources at their disposal.

Also, nobody would act randomly. 

This is where indicators play a critical role in cybersecurity. With the help of indicators, experts can group information about threats. They can easily profile and track threats. 

Let’s explore what indicators are in cybersecurity and how indicators lifecycle can be used as an effective way to proactively detect and secure against threats and build a defense for securing precious data! 

What are indicators in cybersecurity?

Indicators are pieces of information that describe or point towards something that has happened or is going to happen. 

Indicators don’t always have to be malicious.  

They are just like when a criminal leaves pieces of evidence behind after committing a crime, and the detective gathers evidence from a crime scene that indicates or traces back towards the incident.  

In cybersecurity, indicators are critical evidence of any form of intrusion. They provide context to the investigations.  

For example, someone downloading software over an organizational network does not tell much. However, if a file is being downloaded after working hours and that too, unauthorized software, it could give experts an idea of whether an activity is malicious because of the context.   

Indicators are primarily used by security analysts and threat-hunting experts for detecting and hunting threats through a set of threat-hunting queries and detection rules.  

What are key indicators in cybersecurity?

An indicator can be a key indicator if it is: 

  • Consistent across all the intrusions  
  • Can be used as a distinguisher of attack campaigns and malicious activities 
  • Aligns with a particular cyber attack kill chain 

What are the different kinds of indicators in cybersecurity?

Indicators are categorized into four – Atomic, Computed, TTPs, and IoCs & IoAs. 

Atomic Indicators

These are the tiny pieces of information that provide context on the intrusion.  An indicator that offers context about an incident. It is any information that directly tells security experts about an attack.  

Examples: 

  • IP addresses found in DNS logs and malicious payloads 
  • Domain names associated with any known malware C2 (Command and Control) servers 
  • File hash of a malicious executable  

Computed Indicators

Computed indicators are derived when raw data sets and atomic indicators are analyzed.   

Examples: 

TTPs (Tactics, Techniques and Procedures)

Indicators based on an attacker’s actions and behaviors are TTPs. They can be both atomic indicators and computed indicators. They tell an expert whether an attacker has used a specific tactic, technique, or procedure.   

Example: 

A hacker using an IP address from one location (let’s say location A) to send an email from another location (let’s say location B), targeting a customer relations department using a malicious MS Word file. He creates a malicious backdoor that relays information back to a malicious IP address.   

A combination of atomic (IP addresses) and computed indicators (MS Word docs, malicious attachments, location of IP addresses) are used.  

Indicators of compromise and Indicators of attack IoCs and IoAs 

These are the indicators used to identify any suspicious and malicious activity. They comprise both atomic and computed indicators.  

Indicators of Compromise (IoC) are signs/clues/evidence that help a security expert determine whether an endpoint or network is compromised.  

Example: 

  • Unexpected installation of software on an endpoint 
  • Excessive requests to a single server, resource, or a file 
  • Unusual network traffic patterns that match with data exfiltration techniques 

Indicators of Attack (IoA) are the series of indicators an attacker uses to orchestrate an effective attack. IoAs are used in real-time to track an incident during incident response.  

Example: 

  • Tactics used to maintain access and persistence in a compromised system (eg:- APT attack).
  • A person working in sales running administrative tools, like PowerShell, which is outside their domain of work.
  • A user engages in initial access, privilege escalation, and lateral movement – all the actions point toward a successful ransomware attack

What is indicator lifecycle in cybersecurity?

An indicator lifecycle is a structured approach for proactively detecting threats and behaviors. It is different from traditional incident response where experts work after an event has taken place.  

Both threat hunting and indicator lifecycle are for preemptively detecting threats and preventing incidents from occurring.  

The primary purpose of the indicator lifecycle is to help cybersecurity people work better with indicators through a systematic approach.  

Indicator lifecycle revolves around three stages primarily, Revealed, Matured, and Utilized.  

Reveal – Discovering/Identifying an indicator

Mature – Readying the indicator 

Utilized – Using the indicator 

Let us explore what these stages are and how they work. 

What are the stages of indicator lifecycle in cybersecurity?

Identification to Maturity

  • It is the first stage of the indicator lifecycle. 
  • Indicators are gathered from sources like threat intel reports, datasets, feeds, and security solutions. 
  • Indicators are verified whether legit/relevant to a specific threat model/threat intelligence requirements. 

Maturity to Utilization

  • Indicators are readied for use by security solution

They can be readied

Utilization to discovery

  • Using an indicator once it is ready 
  • Utilization of an indicator will lead to the discovery of other indicators, restarting the cycle again
  • One data point could help discover many other indicators
  • It assists experts in finding the missing pieces of a threat puzzle 
  • Gives a bird-eye view of an attack
What are the stages of indicator lifecycle in cybersecurity 

To summarize

We have seen how indicators are pieces of information that tell you whether something has happened or will happen. We have explored how indicator lifecycle serves a critical role in the proactive detection and prevention of threats.   

Security experts rely on it for the structured approach it provides them for indicators, becoming one of the main reasons why it has become one of the most reliable cybersecurity approaches that are used globally by experts. 

Learn why businesses need Managed Security Services 

Read More

All
Endpoint Security

Leave a Reply

Your email address will not be published. Required fields are marked *