Photo by Jakob Owens on Unsplash

Photo by Jakob Owens on Unsplash

Discovering indicators of compromise


Article from ADMIN 49/2019
Open source pen testing tools help you view an attack from the perspective of both the attacker and the defender.

Quite a lot has been written about pen testing and hacker lifecycles. Over the past few months, for example, I've written a couple of articles for ADMIN about penetration testing: one about automated tools for pen testing [1] and the other about improving defense through pen testing [2]. However, comparatively little has been written about the knowledge, techniques, and tools necessary to analyze an attack or pen test as it occurs (i.e., the "other side," as it were, of an attack).

Indicators of Attack and Compromise

Before I stampede into the tools an analyst uses, it's important to identify an essential principle of the security analyst: As an attack occurs, certain things are left behind. This concept was first articulated by Edmond Locard [3] almost 100 years ago, well before the first modern computers were created. In fact, the concept that attackers leave behind signatures and traces is named "Locard's Exchange Principle."

The defender – in this case, the security analyst – needs to figure out what indicators of attack (IoAs) and indicators of compromise (IoCs) were left behind. An IoA is evidence left behind even if a particular attack doesn't lead to a break-in or data breach. An IoC is evidence left behind if an attack has successfully tricked or breached a security control. For example, an IoA could be a system scan or an unsuccessful attempt to create or exploit a buffer overflow condition. An IoC could be a case in which an attacker was able to exploit a buffer overflow successfully or otherwise gain unauthorized access to a system – same activity, two perspectives, and two sets of tools.

According to the Exchange Principle,

Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus