If you’ve been working for any time in cybersecurity, you probably have encountered the concept of the Pyramid of Pain, first posed by security architect, David Bianco, in a blog post in 2014. It is a neat organization of the hierarchy applied to Indicators of Compromise (IOC) and is a potent threat hunter’s map.
The Pyramid indicates that if you address a low-level IOC (e.g., hash value), it will cause a small amount of pain to the adversary. For example, changing the hash value of malware and using it again is trivial and not very painful to the hacker. Preventing a higher-level attack (e.g., Domain) will cause a bit more pain to the attacker as he must now bother to set up another website. And so on as you ascend the Pyramid.
At the Pyramid’s summit we find Tactics, Techniques and Procedures (TTPs). Thwarting a TTP is relatively difficult, but also holds the highest potential of pain for the adversary as it impacts, not just the attacker’s carefully concocted tool chest, but his skillfully honed methodology as well. In the world of cybersecurity, new tools are continuously invented and shared, but new behavioral methods of delivery, execution and lateral movement are far more difficult to adopt and implement. Forcing a change in behavior is especially painful to the hacker.
Success at the Summit with BIOCs
Ubiquitous Indicators of Compromise (IOCs) shared across numerous threat-intelligence feeds are fast weapons for detecting and defeating low-level known attacks. By matching file hashes, IP addresses and domain names with known bad actors, attacks can be detected promptly with very little risk, allowing proper mitigation to be applied. For example, if a threat intelligence database has listed the IP address 220.127.116.11 as a C2 server, then any executable attempting to connect to that exact IP address can be identified and stopped. However, this attack prevention has a limited life-span and not terribly painful as the hacker can simply establish another base of operations with a new IP address and continue the attack—at least until it is detected and makes its way into new threat intelligence feeds.
IOCs play a critical role in cybersecurity defenses, they indicate there is something happening in a network and there is a need to take a deeper look, however they are not nearly strong or pain-inducing enough as the only detection method. At the high end of the spectrum, IOCs have an extremely limited time-span and are easily by-passed by attackers.
While experienced attackers pride themselves on their mastery of sophisticated TTPs and multiple methods for delivering them undetected into networks and onto endpoints, they are now confronted by a new powerful defense methodology that cannot be quickly avoided and knows how to inflict pain on adversaries. With Behavioral Indicators of Compromise (BIOCs), security teams can thwart TTPs, narrowing the threat landscape and inflicting heavy wounds on attackers.
Unlike IOCs, BIOCs don’t need to exactly match artifacts in order to determine threats. Instead, they detect sequences of activity (behaviors) of malicious or threatening actions in the cyber-kill chain. These sequences can be simple or complex—from the exploit of a vulnerable application, to payload delivery methods, use of known good applications in file-less attacks, identifying lateral movement, pooling of data for exfiltration or insider threats, and others—they are always highly effective.
Let’s look at two examples of how BIOCs block cyberattacks that IOCs would miss:
Microsoft Word (or any Office app) shouldn’t be acting like this
A BIOC triggers an alert and blocks the communication whenever any Microsoft Word document tries to connect directly to any IP address outside the organization and Microsoft’s app store (or to a specific geographic location, etc.). Alternatively, a BIOC stops the execution to a script downloaded by Microsoft Excel to a temporary folder location (with or without standard exceptions). A litany of exact IP address matches and script hash values is unnecessary.
Typically used alongside the EternalBlue exploit, DoublePulsar backdoor uses lsass.exe to deliver and run executables on Microsoft Windows systems. While Microsoft has now offered a patch to supported operating systems, A BIOC can be used to detect when LSASS.exe runs an executable and automatically isolate or contain the system and alerts the security team. The known abnormal chain of activities of LSASS.exe is what makes this situation suspicious.
Cybersecurity Defense Reinforcement
Secdo has created a growing library of hundreds of tested BIOCs, in which Secdo customers can implement all or any part of this library to enhance their defenses and decrease the surface area of risk.
In addition, customers can create their own BIOCs with Secdo’s BIOC wizard. Most security teams already have a list of countless attack vectors that are a daily risk to the enterprise but are unable to detect the or prevent their use. With Secdo a customer can easily create a custom BIOC and quickly test the query for accuracy across over 100 days of historical endpoint data—no other technology stores all live data for this length of time. Once the BIOC is tested, and refined if needed, the customer can apply this BIOC for automated detection and choose an automated response action. By responding automatically Secdo can react accordingly to contain the activity, actions include blacklisting a file or IP address, isolating an endpoint, creating an alert, and perform other tasks in sequence.
BIOCs are potent weapons in the security teams arsenal for:
- Visibility: BIOCs are able to discern highly sophisticated and complex attack vectors based on behaviors for malicious insiders, external threats, policy violations, security gaps and other malicious activity.
- Prevention and Response: BIOCs can alert, prevent and execute response actions automatically on detection.
- Threat Hunting: BIOCs give threat hunters a new offensive weapon to identify unknown insider or external threats based on behaviors. Queries can be simple or complex, are tested on over a hundred days of historical endpoint activity, and do not require the need to learn a new language—its all point and click.
- Optimization: BIOCs are utilized by Secdo to reprioritize inbound alerts from SIEM and can also be utilized as context to reveal known-bad attack activity to junior analysts, reducing the discovery and validation time of new threats to seconds.
Threat Hunting and BIOC creation with Secdo
Inflicting Pain and Increasing Defenses
With new forms of threats being created daily, malware offered as a service with support to the highest (or any) bidder, and the new fandangled use of AI to create and morph malware, Attackers are going undetected now more than ever before.
Implementing effective IOC feeds across the gamut of cybersecurity solutions is a great way to protect the enterprise and identify known attack methods, but these minor set backs on attackers are not the ones of great concern—they are the low-hanging fruit. For highly sophisticated attacks that have made recent news and operate at the summit of the Pyramid of Pain, IOCs are woefully inadequate.
Behavioral Indicators of Compromise, or BIOCs, are the new standard for threat detection and prevention. They empower security teams to hunt for and protect the enterprise from TTPs and other highly sophisticated attack methods, closing the surface area of risk and forcing attackers to not only create new malware but find new methods of delivery and execution.