Kaspersky Anti Targeted Attack Platform uses two types of indicators for threat hunting: IOC (Indicator of Compromise) and IOA (Indicator of Attack).
An IOC is a set of data about a malicious object or malicious activity. Kaspersky Anti Targeted Attack Platform uses IOC files conforming to the OpenIOC standard, which is an open standard for describing indicators of compromise. IOC files contain a set of indicators that are compared to the indicators of an event. If the compared indicators match, the program considers the event to be an alert. The likelihood of an alert may increase if a scan detects exact matches between the data of an object and several IOC files.
An IOA (also referred to as an IOA rule) is a rule containing the description of a suspicious activity in the system that could be a sign of a targeted attack. Kaspersky Anti Targeted Attack Platform scans the events database of the program and marks events that match behaviors described by IOA rules. The streaming scan technology is used, which involves continuous real-time scanning of objects downloaded from the network.
IOA rules created by experts at Kaspersky Labs are updated together with program databases. They are not displayed in the interface of the program and cannot be edited. You can add custom IOA rules in the form of IOC files conforming to the OpenIOC standard, and create IOA rules based on conditions for searching the events database.
The following table contains a comparative analysis of IOC and IOA indicators.
Comparison of IOC and IOA indicators
Characteristic |
IOC |
IOA |
---|---|---|
Scan scope |
Computers with the Endpoint Sensors component |
Program events database |
Scanning mechanism |
Periodical scan |
Streaming scan |
Predefined indicators by Kaspersky Lab experts |
None |
Yes |
Ability to add to a white list |
None |
Yes |
If you are using the distributed solution and multitenancy mode, the section displays data on the organization that you chose.