Security Limitations of IOCs—Lessons Learned from APT29

July 20, 2020
Tim Wade
Deputy Chief Technology Officer
Security Limitations of IOCs—Lessons Learned from APT29

Recently, the United Kingdom’s National Cyber Security Centre (NCSC) and Canada’s Communications Security Establishment (CSE) released details of advanced threat actors (APT29) targeting organizations associated with the development of COVID-19 vaccine research. Unfortunately for traditional perimeter-based security tools relying only on identifying known bad indicators, this campaign heavily leverages the theft and misuse of authorized credentials to maintain persistence and continue attack progression.

And while such tools could take advantage of the currently known indications of compromise (IOCs), IOCs are easily changed by adversaries and when used alone, are better suited to investigate the historical presence of these threat actors, rather than as the only leading indicators for network defenders to interdict attack progression.

Fortunately, organizations that have deployed the Vectra Cognito Network Detection and Response (NDR) platform are resilient against this campaign because their network defenses aren’t dependent on only detecting known-bad IOCs, and they have coverage both in-network and in critical SaaS services like Microsoft Office 365. Cognito deploys artificial intelligence and machine learning to detect the behaviors adversaries are required to take to advance an attack rather than the tooling they use or IOCs they create—for example, through extensive use of the Privileged Access Analytics (PAA) native to the platform. PAA detects post-exploitation activities leveraging stolen and misused credentials by observing and learning how privilege is used across the enterprise, then signaling when that privilege has been misused which even allows real-time, orchestrated attack takedown by invoking Cognito Account Lockdown. Further, the access to extensive, enriched Zeek-like metadata enables security analysts to both rapidly uncover historical evidence of these threat actors, or threat hunt with new IOCs developed as a result of their operational activities.

Unfortunately, too often organizations are at the mercy of published IOCs notifying them after the fact that something has gone wrong—with Vectra, network defenders regain visibility and control of their environment, allowing them to flip the script on even advanced adversaries and stop them before the damage has been done.