IoB usage by Cybereason

Home / News / IoB usage by Cybereason

IoB – Indicators of Behavior is a signal of malicious behavior, and its detection allows you to react to an ongoing or starting attack faster than the previously used IoC – Indicator of Compromise – a security breach indicator. We have already described the aforementioned concept in the article on the approach to data protection by Forcepoint. Cyberason, on the other hand, uses it in its XDR solution … and this is what today’s article will be about.

Most of the information on threats is still made available as security breach indicators (IOCs) or as artifacts in the system or network that signal malicious activity. IoC’s are fingerprints left at a crime scene after a cyberattack. This is static data and is often identified as file hashes, IP addresses, domain names, or other information in the environment.

An example of IoC is, for example: Malicious IP Address: 100.35.197.249

IOCs help:

  1. identify and prevent enemy attacks based on the unique signature of the malware, C2 server, or other tools that attackers can use.
  2. preventing known malware

However, nowadays when more than 350,000 new malware strains are detected every day, and fileless malware attacks (be it scripts or living-off-land) are becoming more frequent… Indicators of Compromise are no longer an innovative or sufficient standalone method of defense.

On the other hand, we have the aforementioned Indicators of Behavior (IoB) that describe the approach an attack takes. IOB are witnesses at the scene of a cyber attack. They didn’t necessarily see the faces of the criminals, but they saw what they did. IOB is a set of behaviors, independent of tools or artifacts that describe an attack, and can be very useful when creating AEP (Advanced Endpoint Protection) and simulating an attack.

Examples of high-level BEIs are, for example:

  • Initial access via a phishing attachment with a malicious Microsoft Word document attached.

  • Successive payloads downloaded by a malicious macro in a Word document executing commands to use PowerShell and create persistence with a scheduled task.

IoB as a specific element of the threat analysis looks like this:

  • T1193 Spear phishing Attachment (Microsoft Word) -> T1093 shell process (PowerShell) -> T1407 external connection -> T1053 child process (Create scheduled job)

In order not to claim that this is a cure for all evil, we must emphasize that IoB’s may differ: some will be detailed in terms of the description of the procedure, while others will be more general at the level of technology. For blue teaming, the above IOB can easily be turned into a search that looks something like this:

  • Identify any Microsoft Word executions where Word creates a PowerShell child process that connects to the Internet and executes another shell (CMD or PowerShell) or a binary that is unsigned and downloaded from the Internet.

Additionally, by using techniques such as matching to historical data, you can go back in time and use current threat intelligence to evaluate your past environment for attacks that you have not considered before.

Related articles

A few thoughts from the former commander of the reminder that the Israeli 8200 unit... and currently the CEO of Cybereason.
Why consider XDR by Cybereason?
Why XDR is the only defense against Enterprise Ransomware
Please be advised that our website is using cookies for marketing, statistical and functional reasons. In order to optimize the content on our website and to adapt them to your individual needs, we use informations saved using cookies on users’ end devices. Cookies can be controlled by the user through the settings of their web browser. By contiuning to use our website without changing your web browser settings, you are accepting the use of cookies.
I accept More info