Indicators of Attack (IoAs): A Complete Introduction

Indicators of attack (IoAs) is the term for any indicators of behaviors that a cybercriminal exhibits prior to or while executing a cyberattack. The name says it all: IoAs are anything that may indicate an attack is underway.

The intent of cybercriminals may be evaluated during the research stage of the cyberattack kill chain — where they investigate and recon potential entry points, collecting data about the company, users, and technology systems in place.

In this post, we are going to discuss IoAs in detail. We will use several examples to illustrate the importance of understanding IoAs and how IoAs differ from traditional security measures. Ultimately, IoAs will help detect potential threats early in the cyberattack kill chain.

What are indicators of attack (IoAs)?

Indicators of attack are not so much a static description of the attacker. It's better to think of IoAs as a dynamic profile of how an attacker interacts with your technologies and users, and that is constantly changing.

As an example, consider a bank’s security approach.

Let’s say the bank’s security scans for customers match the description of robbers involved in a string of prior robberies in the area, as alerted by the local authorities. Security only acts on visitors with a similar description, investigates their presence. Otherwise, security allows all other visitors inside, without hindrance.

This is similar to antivirus solutions using known virus signatures to determine if a computing interaction suggests virus installation or malware delivery across the network. However, if the adversary exploits a zero-day vulnerability and develops a new virus to infiltrate the system, traditional signature-based network security tools will fail to defend against the attack.

In our bank analogy, if a thief were to adopt a new method of entering the bank, security would be less likely to notice their entry. This occurs because traditional security measures typically focus on detecting known threats. They block malicious activities based on static indicators like signatures and rules.

And that's exactly why IoAs are important for addressing threat campaigns. These campaigns involve a coordinated series of attack techniques aimed toward a common goal.

Common types of IoAs

Evidence of malicious intent can come in many forms. Here are just a few potential IoAs:

• External server requests can indicate an attempt to exfiltrate data to an external server. These servers may be approved, but a compromised network endpoint can be modified. This modification can mask the final destination of server requests originating externally.
• Persistent internal server requests. An advanced persistent threat (APT) may occur internally following a successful delivery of a malicious payload. These requests are aimed at spreading the attack laterally within the network. Investigate them using using endpoint detection and response (EDR) solutions or more sophisticated extended detection and response (XDR) solutions.
• Honeypot captures. Set up a honeypot mechanism to attract interest from adversaries. However, beware the fine line between authorized and legal use of honeypots for consumer-facing systems, considering the applicable user privacy and security laws.
• Masked downloads. Malware can disguise itself by renaming legitimate files, like Powershell.exe. This helps it evade detection by monitoring tools.
• DDoS and MITM Attacks. Any anomalous increase in traffic or redirect through unrecognized external servers can be an indication of a cyberattack that’s about to happen.

The importance of IoAs 

The goal of studying IoAs is to understand the intent of a malicious user accessing the information and network resources of the organization, even before any malicious payload is delivered.

It is only when evaluating indicators of attack in the big picture, that security teams can identify patterns of behavior that may indicate adversarial intent. Rather than limiting security to searching for a series of stringent profiles, security teams can analyze threat indicators in real time. This approach is effective because indicators of attack are dynamic and unpredictable.

Additionally, since indicators of attack focus on interactions with your network, actions performed early in the cyberattack kill chain may not be considered harmful. For example:

• A cybercriminal may be impersonating a legitimate user, perhaps by having stolen an employee's credentials or access rights.
• An internal user may been the victim of a spear phishing attack.
• An attacker may have installed malware on the systems that transfer sensitive user data to an external command and control server.

To understand the context of a computing interaction between servers, tools, and users, we need to analyze the end-to-end process. 

Transferring sensitive data to a third-party preprocessing tool may be standard practice. However, it's certainly possible that a user unknowingly installs a malware payload from a spear phishing attack. In this instance, the malware then...

1. Masks the IP address of the command-and-control center, which is the intended destination of the exfiltrated data
2. Instead spoofs the IP to match an approved end-point location.

If network logs were analyzed individually across that journey, it is likely that either:

• All requests complied with the policies embedded into the firewalls at every node.
• Or some unpatched vulnerability prevented a control action against unauthorized data transfers.

Indicators of Attacks vs. Indicators of Compromise (IoCs)

Indicators of Attack are different from Indicators of Compromise (IoC). Both IoAs and IoCs are important to detect and minimize threats.

Where IoCs describe evidence of compromised network security, IoAs focus on user intent based on pre-attack network interactions. It evaluates behavior leading up to an attack. Attackers may perform seemingly authorized actions but left unchecked, victims may be met with an unwelcome surprise.

• IoCs are specific data or artifacts that signal a potential breach in your system. IoCs may be IP addresses, domain names, or malware signatures. However, they often lead to false positives because of overlapping characteristics with legitimate activities or changes in benign systems.
• IoAs work as a real-time recorder by identifying the techniques, tactics, and procedures (TTPs) during an attack. You may say it more accurately detect threats by emphasizing on the context instead of static indicators.

Role of threat feeds in IoCs

"Threat intel" or threat intelligence feeds make it easy to action on IoCs. Threat intel aggregate IoCs from many sources, providing real-time data on potential threats. By merging threat feeds into security solutions, companies can proactively monitor the system for anomalies based on known IoCs. Thus, security teams can quickly respond to new threats.  

How third-party research contributes to the discovery of IoCs

Apart from threat feeds, third-party research helps in IoC identification by analyzing the tools and techniques of threat actors. Third-party research contributes to improving detection capabilities by enriching threat feeds.

Although IoCs provide valuable data points, if organizations focus on IoAs, they can understand attack patterns. Thus, enabling a more context-driven and proactive approach to threat detection.

The role of AI in enhacing IoAs 

Artificial intelligence has an important role to play in enhancing IoAs: AI can enable dynamic and sophisticated threat detection.

How? In real-time, AI algorithms can analyze huge amounts of data and identify anomalies or patterns that may indicate malicious activities. Plus, by using machine learning, AI systems improve their threat detection capabilities and prevent attacks before they actually occur.

Benefits of AI-powered IoAs

• Contextual awareness enhancement: AI tools will provide a deep insight into the behavior of users. Thus, helping to differentiate between potential attacks and legitimate activities.
• Predictive insights: Machine learning models can analyze historical data and predict potential attack vectors. Thereby, helping companies to strengthen their defenses.
• Real-time analysis: AI-powered tools can analyze and process interactions across the network quickly, helping security teams respond promptly to potential attacks.
• Reducing false positives: Since AI-powered tools can understand the behavior of a normal user, they can minimize false alarms. Thus, security teams can focus only on actual threats.

Overall, AI will empower your company to stay ahead of regularly evolving threats by enhancing your IoA detection capability.

How to use IoAs for modern cybersecurity

Now, consider a cyber threat detection system that takes a comprehensive and holistic approach to analyzing user behavior and computing interactions.

If we look at our previous cyberattack incident, a spear phishing attack likely left indications of malicious browser redirects. It also showed malware installation attempts. Additionally, the network sees a high number of data access and transfer requests by the same user. This user may be authorized, yet does not regularly work with the targeted data assets. Although data transfer to a third-party tool may be authorized, it is not common practice. Consequently, continuously pinging internal servers for external data transfer requests is unusual.

This is possibly an indication of compromised login credentials, and it can be verified by further investigating the login attempts and recent activities by the same user.

Looking at all of this information together provides exactly the right context for automated tools alongside human security professionals to power modern SOCs.