Security Limitations of IOCs - Lessons Learned from APT29

Security Limitations of IOCs - Lessons Learned from APT29

Security Limitations of IOCs - Lessons Learned from APT29

By:
投稿者:
Tim Wade
July 20, 2020

Recently, the United Kingdom’s National Cyber Security Centre (NCSC) and Canada’s Communications Security Establishment (CSE) released details of advanced threat actors (APT29) targeting organizations associated with the development of COVID-19 vaccine research. Unfortunately for traditional perimeter-based security tools relying only on identifying known bad indicators, this campaign heavily leverages the theft and misuse of authorized credentials to maintain persistence and continue attack progression. And while such tools could take advantage of the currently known indications of compromise (IOCs), IOCs are easily changed by adversaries and when used alone, are better suited to investigate the historical presence of these threat actors, rather than as the only leading indicators for network defenders to interdict attack progression.

Fortunately, organizations that have deployed the Vectra Cognito Network Detection and Response (NDR) platform are resilient against this campaign because their network defenses aren’t dependent on only detecting known-bad IOCs, and they have coverage both in-network and in critical SaaS services like Microsoft Office 365. Cognito deploys artificial intelligence and machine learning to detect the behaviors adversaries are required to take to advance an attack rather than the tooling they use or IOCs they create – for example, through extensive use of the Privileged Access Analytics (PAA) native to the platform. PAA detects post-exploitation activities leveraging stolen and misused credentials by observing and learning how privilege is used across the enterprise, then signaling when that privilege has been misused which even allows real-time, orchestrated attack takedown by invoking Cognito Account Lockdown. Further, the access to extensive, enriched Zeek-like metadata enables security analysts to both rapidly uncover historical evidence of these threat actors, or threat hunt with new IOCs developed as a result of their operational activities.

Unfortunately, too often organizations are at the mercy of published IOCs notifying them after the fact that something has gone wrong – with Vectra Cognito, network defenders regain visibility and control of their environment, allowing them to flip the script on even advanced adversaries and stop them before the damage has been done.

About the author

Tim Wade

Tim Wade brings over fifteen years of security engineering and operational experience into his role as the Technical Director of Vectra’s Office of the CTO, and is a firm advocate of privacy, fairness, liberty and protection for individuals in the digital age. Over the course of his career he’s crossed through both federal and private sectors, including decorated service as a member of the U.S. Air Force, and most recently as the Head of Application and Information Security in an EdTech sector enterprise. Tim holds a M.S. in Computer Science from the University of Southern California and maintains industry credentials issued by Offensive Security and (ISC)2.

Author profile and blog posts

Most recent blog posts from the same author

Threat detection

Can Data Science Identify Insider Threats?

September 1, 2020
Read blog post
Artificial intelligence

RATを捕まえるには、何が必要なのか?

August 3, 2020
Read blog post
Cybersecurity

IOC(侵害指標)のセキュリティの限界、ハッカー集団「APT29」からの教訓

July 20, 2020
Read blog post