Using indicators of compromise (IOC) and attack (IOA) for Threat Hunting

Kaspersky Anti Targeted Attack Platform uses two types of indicators for threat hunting: IOC (Indicator of Compromise) and IOA (Indicator of Attack).

An IOC is a set of data about a malicious object or malicious activity. Kaspersky Anti Targeted Attack Platform uses IOC files conforming to the OpenIOC standard, which is an open standard for describing indicators of compromise. IOC files contain a set of indicators that are compared to the indicators of an event. If the compared indicators match, the program considers the event to be an alert. The likelihood of an alert may increase if a scan detects exact matches between the data of an object and several IOC files.

An IOA (also referred to as a "TAA (IOA) rule") is a rule containing the description of a suspicious activity in the system that could be a sign of a targeted attack. Kaspersky Anti Targeted Attack Platform scans the Events database of the program and marks events that match behaviors described by TAA (IOA) rules. The streaming scan technology is used, which involves continuous real-time scanning of objects being downloaded from the network.

TAA (IOA) rules created by Kaspersky experts are used by the TAA (Targeted Attack Analyzer) technology and are updated alongside the program databases. They are not displayed in the interface of the program and cannot be edited.

You can add user-defined IOC and TAA (IOA) rules using IOC files in the OpenIOC format as well as create TAA (IOA) rules based on event database search conditions.

The following table contains a comparative analysis of indicators of compromise (IOC) and attack (IOA).

Comparison of IOC and IOA indicators

Characteristic

IOC in user-defined IOC rules

IOA in user-defined TAA (IOA) rules

IOA in TAA (IOA) rules created by Kaspersky experts

Scan scope

Computers with Kaspersky Endpoint Agent

Program events database

Program events database

Scanning mechanism

Periodical scan

Streaming scan

Streaming scan

Can be added to exclusions from scan

None.

Not needed.

Users with the Senior security officer role can edit the text of the indicator in custom TAA (IOA) rules as necessary.

Yes.

If you are using the distributed solution and multitenancy mode, this section displays information for the selected tenant.

Page top