Indicators of Compromise are Dead — Introducing Evidence of Compromise

Image of Prevailion Threat Intel Funnel infographic

The mission of Evidence of Compromise is simple: empower companies to audit and continuously monitor the security of their supply chains to an unprecedented degree, with the possibility of even predicting future breaches based on this real-time intelligence.

Current methods of cyber risk management, incident response and risk modeling have failed to keep up with the growing sophistication and speed of cyber adversaries, which range from organized criminal groups to state-sponsored hackers. As geopolitical tensions increase around the world, they are accelerating the overall risk for the financial sector, as this industry remains a prime target for US adversaries.

Over the next few years, the financial industry will have to evolve its cyber intelligence operations to keep up with these rapidly advancing threats by shifting to a more reliable, actionable and machine-speed response capability. This will require that it move beyond the standard model of threat intelligence, which for over 20 years has been based largely on the highly imperfect “indicators of compromise” (IoC).

This legacy threat intelligence model has been problematic for companies in many ways, particularly due to its high rate of false positives and its slower method of execution, since the data must be carefully culled through, refined and verified by human analysts.

To keep up with modern threats, the industry will have to pivot toward a new and far superior class of threat intelligence, known as “evidence of compromise” (EoC). Unlike IoC, EoC is not at risk of errors, doesn’t require human analysts and is instantly actionable. That is because the data is collected directly from the source — the attacker’s own infrastructure — rather than relying on guesswork and interpretation. This means EoC is inherently accurate, with a false positive rate of at or near 0%.

The financial sector has been at the forefront of cybersecurity for years, so much so that its networks are often difficult to breach directly. As a result, attackers are increasingly shifting to the financial sector’s periphery, by targeting lower-hanging fruit within the corporate supply chain.

The “trusted vendor” is now the greatest vulnerability in a financial company’s network and overall security. Until now, it has been exceedingly difficult for these companies to accurately gauge their vendors’ security, particularly when it comes to active and emerging threats. EoC changes this equation, by allowing a company to see its vendors’ networks from the perspective of the attackers who are actively breaching them, gaining persistence and migrating to new targets affiliated with that organization.

This is a significant advancement over current threat intelligence capabilities, and it will become increasingly necessary in the next decade, as the threat landscape continues to evolve.

The Latest

Diving Deep into UNC1151’s Infrastructure: Ghostwriter and beyond

Introduction: Prevailion’s Adversarial Counterintelligence Team (PACT) is using advanced infrastructure hunting techniques and Prevailion’s unparalleled visibility into threat actor infrastructure creation to uncover previously unknown domains associated with UNC1151 and the “Ghostwriter” influence campaign.  UNC1151 is likely a state-backed threat actor [1] waging an ongoing and far-reaching influence campaign that has targeted numerous countries across […]

Prevailion CEO, Karim Hijazi- Biden’s Cybersecurity Strategy

Prevailion CEO, Karim Hijazi, comments on lacking White House cybersecurity efforts Karim Hijazi lays out why Biden’s cybersecurity strategy lacks innovation and effectiveness to deal with modern adversaries already inside companies around the globe.    

Prevailion CEO, Karim Hijazi- Tmobile Hack

Prevailion CEO, Karim Hijazi, talks about the T-Mobile hack and cloned SIM cards Karim Hijazi says T-Mobile’s breach is the largest in carrier history and discusses SIM swapping and other forms of identity theft.    

Copyright 2021 Prevailion, Inc. All rights reserved.    

Disclaimer: Gartner “Cool Vendors in Security Operations and Threat Intelligence,” Mitchell Schneider, Ruggero Contu, John Watts, Craig Lawson, October 13, 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner Disclaimer: The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.