Introduction to IOA concepts

This section details the concepts that you must know to understand the processes involved in the detection of IOAs, and in the execution of remedial actions (automatic and manual).

Event

An action executed by a process on a user computer and monitored by Advanced EDR. Events are sent to the Cytomic cloud in real time as part of the telemetry. Automated analysis advanced technologies, analysts, and threat hunters analyze them in their context to determine whether they could be part of the Cyber Kill Chain (CKC) of a cyberattack.

Indicator

A sequence of unusual actions found in the events generated on a customer computer and which could be part of an early-stage cyberattack.

Indicator of attack (IOA)

An indicator that is highly likely to be a cyberattack. These are generally attacks in early stages or in exploit phase. These attacks do not normally use malware, as adversaries usually exploit the operating system own tools to execute the attack and thereby hide the traces of their activity. We recommend that you contain or remedy attacks as soon as possible.

To help manage IOA detections, Advanced EDR gives each one a status which can be manually edited by you:

  • Pending: The detection is pending investigation and/or resolution. You must verify whether the attack is real and take the necessary measures to mitigate it. All new detections are generated with the status ‘Pending’.

  • Archived: The detection was investigated and the remedial actions were taken, or were unnecessary because it was a false positive. You closed the detection.

  • Deleted: You or an automatic deletion rule deleted the detection. See Automatically deleting detections generated by an IOA and Deleting one or more IOA detections.

  • Deleted: You deleted the detection. See Deleting one or more IOA detections.

Advanced EDR shows relevant detection information, such as the MITRE tactic and technique used, the events recorded on the computer that generated the detection, and, if available, these reports:

  • Advanced attack investigation: Includes information about the computer involved, a detailed description of the tactics and techniques used, recommendations to mitigate the attack, and the sequence of events that triggered the detection. See Fields on the IOA Details page.

  • Attack graph: Includes an interactive diagram that shows the sequence of events that triggered the detection. See Graphs.

  • Investigation: Opens the investigation console to show all the telemetry collected on the computer at the time the detection occurred. To make searches easier, the management console shows the latest event that generated the IOA detection. You can review events generated up to five days before the detection occurred, on the day the detection occurred, and one day after it.

CKC (Cyber Kill Chain)

In 2011, Lockheed-Martin drafted a framework or model for defending computer networks. This framework stated that cyberattacks occur in phases and each of them can be interrupted through certain controls. Since then, the Cyber Kill Chain (CKC) has been adopted by IT security organizations to define the phases of cyberattacks. These phases range from remote reconnaissance of the target assets to data exfiltration.

MITRE Corporation

The MITRE Corporation is a not-for-profit company that operates federally-funded Research and Development centers to address security issues. It offers practical solutions in the fields of defense and intelligence, aviation, civil systems, national security, judiciary, health, and cybersecurity. The MITRE Corporation is the creator of the MITRE ATT&CK framework.

ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge)

ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a set of resources developed by the MITRE Corporation to describe and categorize cybercriminal activities based on observations from around the world. ATT&CK is a structured list of known attack behaviors categorized into tactics and techniques and shown as a matrix. The MITRE ATT&CK matrix is a useful resource to develop defensive, preventive, and remedial strategies for organizations. For more information about the ATT&CK matrix, go to https://attack.mitre.org/.

Technique (How)

In ATT&CK terminology, techniques represent the method (or the strategy) that an adversary uses to achieve a tactical objective. In other words, the ‘how’. For example, to access credentials (tactic), an adversary executes a data dump (technique).

Sub-Technique (How)

In ATT&CK terminology, sub-techniques represent the “how” of a specific technique. They refer to the processes or mechanisms used by adversaries to achieve the objective of a tactic. For example, password spraying is a type of brute force attack to accomplish the objective of the Credential Access tactic.

Tactic (Why)

In ATT&CK terminology, tactics represent the ultimate motive or goal of a technique. It is the tactical objective of the adversary: the reason to take an action.