Indicators of Behavior

The reality of the current cyber threat landscape is daunting. Attacks are becoming more frequent, more impactful, and more  sophisticated. CTI sharing communities and activities have evolved from efforts within government to sharing between government, critical infrastructure owners/operators, and commercial cybersecurity service providers to support mitigation of these shared cyber threats. However, sharing traditional indicators of compromise (IOCs) is no longer effective against an ever increasingly sophisticated adversary. It is imperative that we continue to evolve and mature as a global community to maintain a competitive advantage over our adversaries.

To that end the OCA IoB Sub-Project was established to bring key stakeholders in the CTI community together to collectively focus on patterns of behavior associated with malicious cyber activity. By understanding “normal” and possibly malicious behaviors or patterns of activity in our networks we can develop innovative solutions that enable us to share behavior sets (aka sets of adversarial behaviors) amongst the CTI community.

The main goal of the IOB effort is to create a standard way to represent cyber adversary behaviors to make it easier to:

• share repeatable sets of observed adversary behaviors spanning multiple campaigns,
• share the analytics to detect those behaviors, and
•  create and share playbooks/workflows to correlate those detections.

To learn more, visit the IOB Github repository.