Professional Documents
Culture Documents
An IoA is a unique
construction of unknown
Sophisticated attacks take time to unfold and involve much attributes, IoCs, and
What happens when you see something suspicious Earliest Possible Attack Detection
outside your home? You gauge its risk and decide what Because this situational picture can be created as early
to do. If it’s a fire, you might call the fire department— as the initial phase of an attack—reconnaissance—
but not if it’s coming from the neighbor’s grill. If it’s defenders gain an active role in blocking the attack’s
someone looking through your neighbor’s front window, success. With visibility and contextualization throughout
and your neighbor is on vacation, you might take a the attack chain, defenders have many more
picture and call the police—but not if you recognize opportunities to fight off an attack before it succeeds.
their house sitter. This is another contrast with IoCs, which primarily
Suspicious or Benign? It Depends. support after-the-fact forensic investigation, not the
in-the-moment incident intervention made possible by
The key to this decision sequence is your definition
an IoA.
of “something suspicious.” Your neighborhood, line of
business, and experience provide a baseline of “what A Bias for Action
is normal” as well as context to directly affect this The detailed nature of the situational picture increases
definition. Context is often defined as “who, what, when, the sensitivity and precision of attack containment and
and where.” It’s the analyst’s job to derive “why and how.” mitigation. It brings relevant information directly to the
In sizing up the context, we make a decision, one that people and processes that need it, when they need it.
can protect our neighborhood or our business.
■■ Enhanced, dynamic threat and risk scoring can
In attack scenarios, the time factor is one of the most pinpoint and elevate events for immediate evaluation
pivotal. It involves not just catching a snapshot of a point by security analysts.
in time (12:36.12 a.m.), but capturing that event within an
■■ Actionable details permit targeted processes to
attack timeline by noting repetition (20 times) or related
automatically and selectively block, disrupt, monitor,
events (from different IP addresses) across a span of
or record activities.
time (within 24 hours).
■■ Fine-grained event attributes can be used to find other
IoA versus IoC instances of an event.
These contextual attributes of a situation add up ■■ Event details can allow heuristics to predict attack
to “indicators of attack (IoAs).” Unlike “indicators of behaviors, educate defenses, and suggest policy and
compromise (IoCs),” which are individual known bad, control changes to prevent future repetitions.
static events (IoC test: Is there a regulation against loss
■■ Context helps investigators reconstruct a complete
of that structured data? Is file blacklisting a relevant
forensic chain of events and look back in time to
control?), IoAs only become bad based on what they
unearth other and similar attack evidence.
mean to you and the situation.
These proactive organizational behaviors demonstrate Next, the individual data points must be aggregated to
maturity in incident response, a maturity increasingly construct an indicator of attack. Simple, intermittent
sought by enterprise leaders worried about data data archival as implemented by first-generation
breaches and cyberattack costs. security and information event management (SIEM) is
not enough. Basic event data must be enriched with
An Intelligence-Sharing Architecture
contextual data (such as time, prevalence, location) and
To implement systems that support IoAs, each the human factor of experience, risk values, and instinct.
organization needs to adjust its mindset and controls to This contextualization can happen in different ways, in
be more proactive and timely about sharing and acting different segments of the infrastructure, but it needs to
on contextual data. This process turns raw data into happen at a speed that supports immediate action.
actionable intelligence and then to intelligent action.
Contextualization
Planning and Many products are designed for single functions, not
Direction
to be part of a centrally managed, intelligence-sharing
system. This advance requires a trusted way to exchange
Dissemination Collection data in real time, such as the messaging bus used by
McAfee in the Data Exchange Layer (DXL). By defining
clear ways to share precise types of information,
the Data Exchange Layer enables and encourages
Analysis and Processing appropriate sharing.
Production Exploitation
Centralization
Figure 1. Collection and sharing of context and other forms of Centralized services help with both collection and
intelligence enable adaptive threat management.
contextualization. For example, endpoint sensor events
can be baselined, aggregated, and contextualized using
Collection
local threat intelligence and organizational preferences
The first hurdle is usually collection. Many sensors and
and risk scores, a model available with the McAfee®
products can collect raw data, but most “use it and lose
Threat Intelligence Exchange. This process can reveal
it.” The architecture needs to ensure the important
first contact and prevalence.
(relevant) data is collected and shared, not just observed
and discarded. This shared data supports immediate In addition, an advanced security intelligence platform
containment of the attack and can also factor into can build on real-time SIEM technologies to normalize
improvements in policies and defenses, essentially and correlate endpoint discoveries with network event
helping the infrastructure learn as it protects. data and other information—user data, application
2821 Mission College Boulevard McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other
Santa Clara, CA 95054 marks and brands may be claimed as the property of others. Copyright © 2017 McAfee, LLC. 61418brf_indicators-attack_1014
888 847 8766 OCTOBER 2014
www.mcafee.com