Introduction to IOA concepts
This section details the concepts you must know to understand the processes involved in the detection of IOAs and in the execution of remedial actions (automatic and manual).
Event
An action executed by a process on a user computer and monitored by Advanced EDR. Events are sent to the Cytomic cloud in real time as part of the telemetry. Automatic analysis advanced technologies, analysts, and threat hunters analyze them in their context to determine whether they could be part of the CKC of a cyberattack.
Indicator
A sequence of unusual actions found in the events generated on a customer computer and which could be part of an early-stage cyberattack.
Indicator of attack (IOA)
An indicator that is highly likely to be a cyberattack. These are generally attacks in early stages or in exploit phase. These attacks do not normally use malware, as adversaries usually exploit the operating system own tools to execute the attack and thereby hide the traces of their activity. We recommend that you contain or remedy attacks as soon as possible.
To help manage IOAs, Advanced EDR gives each one a status you can manually edit:
-
Pending: The IOA is pending investigation and/or resolution. You must verify whether the attack is real and take the necessary measures to mitigate it. All new IOAs are created with the status ‘Pending’.
-
Archived: You investigated the IOA, and the remedial actions were taken or were unnecessary because it was a false positive. You closed the IOA for any of these reasons.
Advanced EDR shows relevant IOA information, such as the MITRE tactic and technique used, the events recorded on the computer that generated the IOA, and, if available, these reports:
-
Advanced attack investigation: Shows information about the computer involved, a detailed description of the tactics and techniques used, recommendations to mitigate the attack, and the sequence of events that triggered the generation of the IOA. See Fields on the IOA Details page.
-
Attack graph: Shows an interactive diagram of the sequence of events that led to the generation of the IOA. See Graphs.
-
Investigation: Opens the investigation console to show all the telemetry collected on the computer at the time the IOA was detected. To make searching for information easier, the investigation console focuses on the last event that triggered the IOA. You can review the events that occurred on the date of detection, as well as five days before and one day after that date.
Advanced indicator of attack
Advanced indicators of attack provide in-depth monitoring of the applications on your computers, detect suspicious behavior, and determine whether the event is an IOA.
The mere presence of this type of indicator of attack does not mean that an attack is taking place. You must analyze the advanced indicator of attack to determine whether it is an attack or not.
Advanced EDR shows relevant information about advanced IOAs, such as the MITRE tactic and technique used, the fields in the event recorded on the computer that generated the IOA, and these reports:
-
Investigation: Opens the investigation console to show all the telemetry collected on the computer at the time the IOA was detected. To make searching for information easier, the investigation console focuses on the last event that triggered the IOA. You can review the events that occurred on the date of detection, as well as five days before and one day after that date.
-
Activity: Shows a list of the events that triggered the IOA.
Advanced indicators of attack are compatible only with Windows computers.
Grouping advanced indicator of attack
Grouping indicators group together indicators that have the same tactic (see Tactic (Why)). They behave exactly like an advanced indicator of attack, except:
-
The console shows far fewer details about grouping indicators, because they represent several different indicators. See Information associated with IOAs
-
All the indicators that make up a grouping indicator have the same tactic. There are 14 grouping indicators, one for each tactic available in the MITRE ATT&CK framework.
This is a list of all grouping indicators supported in the management console:
| Tactic | Name | Description | Severity |
|---|---|---|---|
|
TA0001 |
Initial Access |
The adversary is trying to get into your network. |
Medium |
|
TA0002 |
Execution |
The adversary is trying to run malicious code. |
Medium |
|
TA0003 |
Persistence |
The adversary is trying to maintain their foothold. |
Medium |
|
TA0004 |
Privilege Escalation |
The adversary is trying to gain higher-level permissions. |
Medium |
|
TA0005 |
Defense Evasion |
The adversary is trying to avoid being detected. |
Medium |
|
TA0006 |
Credential Access |
The adversary is trying to steal account names and passwords. |
Medium |
|
TA0007 |
Discovery |
The adversary is trying to figure out your environment. |
Medium |
|
TA0008 |
Lateral Movement |
The adversary is trying to move through your environment. |
Medium |
|
TA0009 |
Collection |
The adversary is trying to gather data of interest to their goal. |
Medium |
|
TA0010 |
Exfiltration |
The adversary is trying to steal data. |
Medium |
|
TA0011 |
Command and Control |
The adversary is trying to communicate with compromised systems to control them. |
Medium |
|
TA0012 |
Impact |
The adversary is trying to manipulate, interrupt, or destroy your systems and data. |
Medium |
|
TA0013 |
Resource Development |
The adversary is trying to establish resources they can use to support operations. |
Medium |
|
TA0014 |
Reconnaissance |
The adversary is trying to gather information they can use to plan future operations. |
Medium |
Compatibility of advanced indicators of attack with third-party security solutions
Cytomic follows all standards recommended by OS manufacturers to make sure its security products can coexist seamlessly with other antivirus and EDR solutions on customer computers. Advanced IOAs are implemented using hooks. If multiple security solutions that use this interception technology exist on a computer, there might be compatibility issues. To resolve this, disable all hook-based technologies in the security product installed on the user computer.
In Advanced EDR, the technologies that use hooks are:
-
Anti-exploit protection. See Anti-exploit.
-
Advanced code injection. See Anti-exploit.
-
Advanced IOAs.
CKC (Cyber Kill Chain)
In 2011, Lockheed-Martin drafted a framework or model for defending computer networks. This framework stated that cyberattacks occur in phases and each of them can be interrupted through certain controls. Since then, the Cyber Kill Chain (CKC) has been adopted by IT security organizations to define the phases of cyberattacks. These phases range from remote reconnaissance of the target assets to data exfiltration.
MITRE Corporation
The MITRE Corporation is a not-for-profit company that operates federally-funded Research and Development centers to address security issues. It offers practical solutions in the fields of defense and intelligence, aviation, civil systems, national security, judiciary, health, and cybersecurity. The MITRE Corporation is the creator of the MITRE ATT&CK framework.
ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge)
ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a set of resources developed by the MITRE Corporation to describe and categorize cybercriminal activities based on observations from around the world. ATT&CK is a structured list of known attack behaviors categorized into tactics and techniques and shown as a matrix. The MITRE ATT&CK matrix is a useful resource to develop defensive, preventive, and remedial strategies for organizations. For more information about the ATT&CK matrix, go to https://attack.mitre.org/.
Technique (How)
In ATT&CK terminology, techniques represent the method (or the strategy) that an adversary uses to achieve a tactical objective. In other words, the ‘how’. For example, to access credentials (tactic), an adversary executes a data dump (technique).
Sub-Technique (How)
In ATT&CK terminology, sub-techniques represent the “how” of a specific technique. They refer to the processes or mechanisms used by adversaries to achieve the objective of a tactic. For example, password spraying is a type of brute force attack to accomplish the objective of the Credential Access tactic.
Tactic (Why)
In ATT&CK terminology, tactics represent the ultimate motive or goal of a technique. It is the tactical objective of the adversary: the reason to take an action.