Using indicators of compromise (IOC) and attack (IOA) for Threat Hunting

Kaspersky Anti Targeted Attack Platform uses two types of indicators for threat hunting: IOC (Indicator of Compromise) and IOA (Indicator of Attack).

An IOC is a set of data about a malicious object or malicious activity. Kaspersky Anti Targeted Attack Platform uses IOC files conforming to the OpenIOC standard, which is an open standard for describing indicators of compromise. IOC files contain a set of indicators that are compared to the indicators of an event. If the compared indicators match, the application considers the event to be an alert. The likelihood of an alert may increase if a scan detects exact matches between the data of an object and several IOC files.

An IOA (also referred to as a "TAA (IOA) rule") is a rule containing the description of a suspicious activity in the system that could be a sign of a targeted attack. Kaspersky Anti Targeted Attack Platform scans the Events database of the application and marks events that match behaviors described by TAA (IOA) rules. The streaming scan technology is used, which involves continuous real-time scanning of objects being downloaded from the network.

TAA (IOA) rules created by Kaspersky experts are used by the TAA (Targeted Attack Analyzer) technology and are updated alongside the application databases. They are not displayed in the interface of the application and cannot be edited.

You can add user-defined IOC and TAA (IOA) rules using IOC files in the OpenIOC format as well as create TAA (IOA) rules based on event database search conditions.

The following table contains a comparative analysis of indicators of compromise (IOC) and attack (IOA).

Comparison of IOC and IOA indicators

Characteristic	IOC in user-defined IOC rules	IOA in user-defined TAA (IOA) rules	IOA in TAA (IOA) rules created by Kaspersky experts
Scan scope	Computers with the Endpoint Agent component	Application events database	Application events database
Scanning mechanism	Periodical scan	Streaming scan	Streaming scan
Can be added to exclusions from scan	None.	Not needed. Users with the Senior security officer role can edit the text of the indicator in custom TAA (IOA) rules as necessary.	Yes.

Characteristic

IOC in user-defined IOC rules

IOA in user-defined TAA (IOA) rules

IOA in TAA (IOA) rules created by Kaspersky experts

Scan scope

Computers with the Endpoint Agent component

Application events database

Scanning mechanism

Periodical scan

Streaming scan

Can be added to exclusions from scan

None.

Not needed.

Users with the Senior security officer role can edit the text of the indicator in custom TAA (IOA) rules as necessary.

Yes.

If you are using the distributed solution and multitenancy mode, this section displays information for the selected tenant.

Page top