Sign up to save your podcasts
Or
Share What Are Indicators of Attack (IoA)?
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
What Are Indicators of Attack (IoA)?
Indicators of compromise are great, aren't they? They're those little pieces of data that provide security researchers and digital forensics analysts with evidence of a breach on a system or network, and allow them to investigate the impact of the attack.
Indicators of compromise can be anything from a file that doesn't belong to a system directory, to suspect or known malicious domains and IPs, to anything that can show proof of a breached system. And by relying on known data concerning malicious actors and events, reports on emerging threats, reputational lists and threat intelligence feeds, these smoking guns also inform better tools and detection techniques that can be used in the event of future attacks.
But what happens when a zero-day threat emerges that is unknown, with no previous knowledge to draw from? What if behaviors exhibited by the threat have not been classified as malicious, and detection using IoC isn't possible?
Don't cure, prevent
Think of using IoC like treating a cold: you already have a runny nose, a sore throat and you can't get out of bed. They're all indicators of a cold — IoC! But you're just trying to ease the symptoms, and the damage has been done. Now, you could've taken note when you woke up with a slightly sore throat that one morning, before all the symptoms hit you with full force. Perhaps taking some preventative measures could have saved you a lot of trouble and discomfort.
This is how watching for **indicators of attack**, before an event fully happens, can work for you. Put simply, it's acting proactively.
Indicators of attack vs indicators of compromise: main differences
Indicators of compromise consider, as we saw in the introduction, reactive detection of a security breach by showing evidence of a breached system. This can be the presence of viruses and malware, anomalies with privileged user accounts, malicious IPs and other forensic evidence that indicate a high probability of an attack.
In the cyber attack life cycle, there are different steps and actions involved. Indicators of attack, or IoA reflect a series of events and actions attackers must execute in order to gain unauthorized access to a system or a network.
**Proactive detection** can take place during all of the steps that precede the attack — reconnaissance, weaponization and delivery — before the threat becomes a successful exploit. And when context can be gained as early as the recon phase, defenders can block attackers from moving forward. With reactive detection of IoC, the detection of intrusion is done after the attacker has already gained access to the system, in the later phases of the cyber attack life cycle.
While IoC are inherently bad as **evidence of a security compromise**, IoA become bad based on what they mean in the context of the situation. This means that one behaviour won't always be an indicator of attack, and whether it is classified as one would depend on the intent of the actor behind it.
For instance, port scanning isn't an inherently malicious activity, and can be performed by a benign scanner, but it can also be done by an attacker in the recon stage of an attack, trying to obtain as much information about your network as possible to discover any vulnerabilities. So, flagging this activity as an IoA wouldn't really be useful. But if we add context with additional logs showing evidence of other internal hosts communicating to external hosts using atypical ports, then this can very well be an indicator of attack.
Indicators of attack **detect an active attack in real time**, before the final goal of the exploit, data theft, or similar operation is achieved. They cover the gaps IoC leave behind, by **detecting unknown threats**, and because IoA identify activity and behaviour rather than methods and tools used, **malwareless attacks can also be uncovered**. Once IoA are detected, they're refined by adding contextual information from other security tools to determine wheth...
View all episodes
By SecurityTrailsIndicators of compromise are great, aren't they? They're those little pieces of data that provide security researchers and digital forensics analysts with evidence of a breach on a system or network, and allow them to investigate the impact of the attack.
Indicators of compromise can be anything from a file that doesn't belong to a system directory, to suspect or known malicious domains and IPs, to anything that can show proof of a breached system. And by relying on known data concerning malicious actors and events, reports on emerging threats, reputational lists and threat intelligence feeds, these smoking guns also inform better tools and detection techniques that can be used in the event of future attacks.
But what happens when a zero-day threat emerges that is unknown, with no previous knowledge to draw from? What if behaviors exhibited by the threat have not been classified as malicious, and detection using IoC isn't possible?
Don't cure, prevent
Think of using IoC like treating a cold: you already have a runny nose, a sore throat and you can't get out of bed. They're all indicators of a cold — IoC! But you're just trying to ease the symptoms, and the damage has been done. Now, you could've taken note when you woke up with a slightly sore throat that one morning, before all the symptoms hit you with full force. Perhaps taking some preventative measures could have saved you a lot of trouble and discomfort.
This is how watching for **indicators of attack**, before an event fully happens, can work for you. Put simply, it's acting proactively.
Indicators of attack vs indicators of compromise: main differences
Indicators of compromise consider, as we saw in the introduction, reactive detection of a security breach by showing evidence of a breached system. This can be the presence of viruses and malware, anomalies with privileged user accounts, malicious IPs and other forensic evidence that indicate a high probability of an attack.
In the cyber attack life cycle, there are different steps and actions involved. Indicators of attack, or IoA reflect a series of events and actions attackers must execute in order to gain unauthorized access to a system or a network.
**Proactive detection** can take place during all of the steps that precede the attack — reconnaissance, weaponization and delivery — before the threat becomes a successful exploit. And when context can be gained as early as the recon phase, defenders can block attackers from moving forward. With reactive detection of IoC, the detection of intrusion is done after the attacker has already gained access to the system, in the later phases of the cyber attack life cycle.
While IoC are inherently bad as **evidence of a security compromise**, IoA become bad based on what they mean in the context of the situation. This means that one behaviour won't always be an indicator of attack, and whether it is classified as one would depend on the intent of the actor behind it.
For instance, port scanning isn't an inherently malicious activity, and can be performed by a benign scanner, but it can also be done by an attacker in the recon stage of an attack, trying to obtain as much information about your network as possible to discover any vulnerabilities. So, flagging this activity as an IoA wouldn't really be useful. But if we add context with additional logs showing evidence of other internal hosts communicating to external hosts using atypical ports, then this can very well be an indicator of attack.
Indicators of attack **detect an active attack in real time**, before the final goal of the exploit, data theft, or similar operation is achieved. They cover the gaps IoC leave behind, by **detecting unknown threats**, and because IoA identify activity and behaviour rather than methods and tools used, **malwareless attacks can also be uncovered**. Once IoA are detected, they're refined by adding contextual information from other security tools to determine wheth...