Using indicators of compromise (IOC) and attack (IOA) for Threat Hunting

Kaspersky Anti Targeted Attack Platform uses two types of indicators for threat hunting: IOC (Indicator of Compromise) and IOA (Indicator of Attack).

An IOC is a set of data about a malicious object or malicious activity. Kaspersky Anti Targeted Attack Platform uses IOC files conforming to the OpenIOC standard, which is an open standard for describing indicators of compromise. IOC files contain a set of indicators that are compared to the indicators of an event. If the compared indicators match, the application considers the event to be an alert. The likelihood of an alert may increase if a scan detects exact matches between the data of an object and several IOC files.

An IOA (also referred to as a "TAA (IOA) rule") is a rule containing the description of a suspicious activity in the system that could be a sign of a targeted attack. Kaspersky Anti Targeted Attack Platform scans the Events database of the application and marks events that match behaviors described by TAA (IOA) rules. The streaming scan technology is used, which involves continuous real-time scanning of objects being downloaded from the network.

TAA (IOA) rules created by Kaspersky experts are used by the TAA (Targeted Attack Analyzer) technology and are updated alongside the application databases. They are not displayed in the interface of the application and cannot be edited.

You can add user-defined IOC and TAA (IOA) rules using IOC files in the OpenIOC format as well as create TAA (IOA) rules based on event database search conditions.

The following table contains a comparative analysis of indicators of compromise (IOC) and attack (IOA).

Comparison of IOC and IOA indicators

If you are using the distributed solution and multitenancy mode, this section displays information for the selected tenant.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).