TL;DR: Since threat hunting is conducted both within defended networks and beyond their perimeters, not all observables listed in threat intel reporting should be labeled “IOCs”.
Threat hunting is a practice that involves searching for malicious activity both within and beyond the perimeter of a defended network. The common currency of threat detection is made up of Indicators of Compromise (IOCs) and Tactics, Techniques and Procedures (TTPs). IOCs are unique artifacts that can be observed on compromised machines and are indicative of compromise, while TTPs concern the malicious behavior of threat actors. MITRE ATT&CK is a popular framework for discussing TTPs, but IOCs have been somewhat neglected in terms of practical categorization.
When threat hunting extends beyond the perimeter of a defended network, certain types of indicators are encountered that don’t necessarily fit neatly into the strict definition of “IOC”. These indicators are either not indicative enough or don’t strictly indicate compromise. An example of this is an open directory on a web server used by a threat actor for staging their activity. This server might contain various logs, IP addresses, samples and SHA1 hashes of a bespoke phishing toolkit developed by the threat actor.
When these indicators are disseminated through a threat intel report, recipient organizations are tasked with deciding if the activity described in the report is relevant to their threat model. If so, then their next step would be making use of the IOCs to search their environments for evidence of attempted or successful compromise. However, some observables are only likely to be observed outside a target environment, such as on the attacker’s infrastructure, and therefore should not be called “IOCs”. These observables are more useful for other security researchers and intelligence agencies tasked with counter-cyber operations.
The author suggests distinguishing between IOCs and non-IOC observables, which they call “exothruntables”, to make threat intel reports more properly actionable for the audience. This distinction can be viewed through the lens of a client-server model, where some observables are “client-side” and others are “server-side”. The author provides a table with additional examples of observable types where this distinction might make sense. Ultimately, this distinction can help organizations prioritize the most relevant indicators for threat detection.
📓 Thrunting Grounds
👉🏽 TL;DR: Since threat hunting is conducted both within defended networks and beyond their perimeters, not all observables listed in threat intel reporting should be labeled “IOCs”. 👉🏽 Threat hunting involves searching for malicious activity both within and beyond a defended network. 👉🏽 Indicators of Compromise (IOCs) and Tactics, Techniques and Procedures (TTPs) are the common currency of threat detection. 👉🏽 IOCs are unique artifacts observed on compromised machines, indicating compromise. 👉🏽 TTPs refer to the malicious behavior of threat actors, discussed using the MITRE ATT&CK framework. 👉🏽 IOCs have been neglected in terms of practical categorization. 👉🏽 Certain indicators encountered outside the network don't fit neatly into the definition of IOCs. 👉🏽 These indicators are not indicative enough or strictly indicate compromise. 👉🏽 The author suggests categorizing these indicators as "exothruntables" rather than IOCs. 👉🏽 Exothruntables are observables that are more useful for security researchers and intelligence agencies. 👉🏽 Distinguishing between IOCs and exothruntables can help prioritize relevant indicators for threat detection.
🔗 source link: https://amitaico.substack.com/p/thrunting-grounds
🔗 summarized content: https://hut.threathunterz.com/battlefield-intel/articles-and-reports/thrunting-grounds
#ThreatHunting #IndicatorsOfCompromise #TacticsTechniquesAndProcedures #IOCs #Exothruntables