Indicators of Attack (IOAs) demonstrate the intentions behind a cyberattack and the techniques used by the threat actor to accomplish their objectives.
The specific cyber threats arming the attack, like malware, ransomware, or advanced threats, are of little concern when analyzing IOAs. Instead, only the sequence of events leading to the deployment of a cyber threat are considered in this cybersecurity strategy.
IOAs are best understood in the context of a cyberattack, an operation that can be simplified into three primary stages.
An attack usually starts with a phishing campaign - where employees are tricked into divulging their internal credentials. Armed with this information, an IT perimeter is breached.
Next, the attacker moves laterally through the network looking for privileged credentials that will facilitate access to highly-sensitive resources. Once these credentials are compromised, a data breach occurs.
All of the damage caused in this process - modifications to the memory disk, backdoor connections to command and control servers, etc - are indications that the system was compromised but they don't help security teams understand the future movements of the attackers or what their primary objections are.
IOAs disclose the motivations of the attacker, the specific tools used in each process are of little importance.
IOAs are concerned with the "why" behind each cyberattack stage, whereas as IOCs are concerned with the "how." -> quote
Examples of Indicators of Attacks
The following 10 examples of IOAs are based on common cybercriminal behavior:
- Public servers communicating with internal hosts. This could be indicative of data exfiltration and remote communications from criminal servers.
- Connections via non-standard ports rather than port 80 or port 443.
- Internal hosts communicating with countries outside of business range.
- Inter-host communications within short time periods. This could be indicative of cybercriminal lateral movement or insider threat activity (see stage 2 in Figure 1).
- Multiple Honeytoken alerts from a single host (especially outside of business hours).
- Excessive SMTP traffic. Could be evidence of a compromised system being used to launch DDoS attacks.
- Malware reinfection within a few minutes of removal. This could be indicative of an Advanced Persistent Threat.
- Multiple user logins from different regions. This could be indicative of stolen user credentials.
What's the Difference Between an Indicator of Compromise (IOC) and an Indicators of Attack (IOA)?
An Indicator of Compromise (IOC) is digital evidence that a cyber incident has occurred. This intelligence is gathered by security teams in response to speculations of a network breach or during scheduled security audits.
An Indicator of Attack (IOA), on the other hand, is any digital or physical evidence that a cyberattack is likely to occur.
Some other differences are discussed below.
IOAs are Detected Before Data Breaches
The primary difference between the two is their position on the cyberattack timeline. Because IOAs occur before a data breach, if incident responses are activated in a timely manner, the security incident could be intercepted and prevented.
IOCs are Static but IOAs are Dynamic
Cyberattack footprints don't change over time. All of the components of a cyberattack - backdoors, C&C connections, IP addresses, event logs, hashes, etc - remain the same and provide the necessary threat intelligence to help security teams defend against future attacks.
This is why IOC-based detection methods are classified as static.
IOA data, on the other hand, is dynamic because cybercriminal movements are dynamic. Before a data breach can occur, a hacker needs to progress through numerous attack stages and change between multiple attack techniques.
There are 14 phases in the cyberattack and each contains a different set of techniques. See the Mitre Att&ck matrix.
IOA detection methods aim to detect this activity as it's evolving.
IOA Data is Monitored in Real-Time
Because IOA data changes as an attacker progresses through the cyberattack lifecycle, the data needs to be monitored in real-time.
IOA data could indicate how a network was breached, the backdoors that were established, and the privileged credentials that were compromised - information that helps security teams intercept a cyberattack as it's developing, reducing attacker dwell time.
IOAs, therefore, support a proactive approach to cybersecurity, whereas IOC is used in reactive forensic-driven responses.
The Limitations of IOC-Based Detection Mechanisms
IOC-detection methods are unable to intercept cyber threats not characterized by static signatures.
Emerging cyber threats, such as Zero-Day Exploits, haven't had the chance to be assigned a signature and so will pass through security controls relying on signature detection.
An example of a static-signature-based cybersecurity control is antivirus software.
Some malware strains don't write to disk to avoid triggering an antivirus scan. The only way antivirus security solutions could potentially discover such a threat is if system memory is scanned with the threat's updated signature.
Even if an updated signature is available (which is highly unlikely when a 0-day is being actively exploited), a memory scan would need to occur multiple times a week to have any chance of detection.
Not all AV vendors are capable of performing memory scans, and even if they could, endpoint performance would be disrupted during the process. So IOC-driven solutions, like antivirus software, are not reliable defenses against emerging threats.
Another limitation of IOC-driven solutions is their predictable attack surface scanning schedules.
Sophisticated threats, such as Advanced Persistent Threats (APTs), are capable of pausing attacker activity during information security scans and continuing them after each scan is finished.
The Future of Cybersecurity: A Combination of IOC and IOA Driven Strategies
If implemented alone, both IOC and IOA strategies will create deficiencies in cybersecurity programs.
- IOCs cannot help security terms intercept cyberattack attempts. IOC's also often trigger false alarms, producing high instances of false positives.
- IOAs provide insufficient forensic intelligence following a cyber incident.
But when combined, the strengths of one strategy conveniently addresses the deficiencies of the other.
To illustrate this complementary relationship, consider a threat actor advancing through the stages of a Mitre Att&ck.
At the reconnaissance stage of the attack, user accounts are taken from a stolen database published on the dark web. This process is a TTP indicator (Tactics, Techniques, and Procedures) and also an IOA.
The cyber attackers then use these credentials to breach the perimeter of the target network, advancing to the Initial Access phase of the attack.
After becoming aware of this activity by IOA-driven tools, security research teams begin investigating.
They learn that the stolen credentials were used to login into the network from an IP address in a Russian location known for launching ransomware attacks. Such intelligence would be classified as an IOC, where the threat indicator type for this IOC is an IP address.
Now that the motivations of the cyber attacks are clear, security teams can secure the attack vector commonly exploited in such attacks and deploy response efforts specific to ransomware operations.
The combination of IOCs and IOAs provides greater context for threat hunting operatives, helping them understand the primary objectives of the attack so that the damage caused by each cyber incident can be mitigated.
