When we talk about indicators, what comes to your mind? Indicators are simply signals that point something out, right? 

Similarly, indicators in cybersecurity do the same thing, they don’t necessarily have to be malicious. An indicator can simply be an unknown email in your inbox, it’s not harmful, but it is something that should be investigated. Knowing different kinds of indicators in cybersecurity allows you to use them effectively and track all kinds of attack campaigns accurately.

Key Indicators to Look For

Among all indicators, some are more important than others, they are known as key indicators and those are the ones that our cybers expert analysts look for. These indicators possess the following characteristics:

• Remain constant throughout various intrusions
• Uniquely identify a specific attack campaign
• Differentiate an attack campaign from normal, benign activity
• Correspond to a specific phase in the Cyber Kill Chain

An indicator can be an email, a domain or a malware mutex seen together on multiple occasions. When looking for a key indicator, the chances of seeing a malware mutex and domain together are higher. The goal of our cyber analysts is to identify as many key indicators as possible during intrusion analysis and use them effectively against attackers.

What is Indicator Lifecycle in Cybersecurity

Like the cybersecurity lifecycle, indicators also have a lifecycle that can be used by cyber detectors to hunt all kinds of malware attacks and wrong intentions. The only downside is that the lifetime of these indicators is controlled by the adversaries. If attackers detect that their indicators have been found, they can change the network infrastructure and rebuild the entire malware.

However, before they can do that, our cyber analysts take advantage of the indicator lifecycle and utilize it quite effectively. The indicator consists of three main stages:

Revealed

In this stage, we find an indicator by gathering information and examining intelligence reports, website feeds and our datasets. After detection, we analyze the indicator to ensure its authenticity or in this case legitimacy, relevant to our intelligence requirements and see if we can operationalize it for further threat hunting.

Mature

We reconfigure that indicator to help us in threat hunting. What’s a mature indicator? It’s an indicator that can be utilized by our security tools. We translate the indicator into a form that can be used as a threat-hunting query.

Utilized

In this stage, we use that indicator to reveal other indicators, starting the lifecycle all over again. According to the Courses of Action (CoA) matrix, there are two ways of utilizing a matrix:

Detection

We get to detect our attacker’s current activities generating detection rules.

Discovery

With this CoA, we can discover all of our attacker’s past activities that have been buried before by running a threat-hunting query.

The type of Passive CoA you choose to follow depends on your intelligence tools, requirements, logging capabilities, and the type of indicators you’re going after. With the utilization stage, you go back to revealing new indicators.

FAQs

What are the 5 stages of the cybersecurity lifecycle?

The 05 high-level stages of cybersecurity are:

1. Identification
2. Protection
3. Detection
4. Response
5. Recovery

What are the 5 Ps of cybersecurity?

These P’s of cybersecurity are the fundamental rules that should be followed by all cyber companies. These include:

1. Plan: Establishing clear plans and practices should be a priority in all organizations.
2. Protect: Deploy security technologies and controls to defend against cyber threats, such as firewalls and antivirus software.
3. Prove: Implement detailed processes that dictate how these security measures can save all kinds of sensitive data.
4. Promote: Educate and train people and stakeholders on cybersecurity best practices and awareness to prevent human error.
5. Partner: Partner with other organizations and provide them with security tools and solutions that will protect their digital assets as well.