What Are IOAs? Indicators of Attack Explained

Indicators of attack (IoAs) refer to the series of behaviors that a cybercriminal exhibits prior to executing a cyberattack. The intent of cybercriminals may be evaluated during the research stage of the cyberattack kill chain — where they investigate potential entry points, and collect data about the company, users and technology systems in place.

Indicators of attack are not so much a static description of the attacker, but a dynamic profile of how an attacker interacts with your technologies and users.

As an example, consider a bank’s security approach.

Let’s say the bank’s security scans for customers that match the description of robbers involved in a string of prior robberies in the area, as alerted by the local authorities. Security only acts on visitors with a similar description, investigates their presence, and allows all other visitors inside, without hindrance.

This is analogous to antivirus solutions using known virus signatures to determine if a computing interaction suggests virus installation or malware delivery across the network. However, if the adversary exploits a Zero-Day vulnerability and develops a new virus to infiltrate the system, traditional signature-based network security tools will fail to defend against the attack.

In our bank analogy, if a thief were to adopt a new method of entering the bank, security would be much less likely to notice their entry.

Examples of indicators of attack, and why they matter

The goal of studying IoAs is to understand the intent of a malicious user accessing the information and network resources of the organization, even when a malicious payload is not yet delivered, and all computing interactions can be considered as legitimate and authorized.

It is only when evaluating indicators of attack in the big picture, that the patterns of data collection and attempts to access the network start resembling an adversary with malicious intent.

Rather than limiting security to searching for a series of stringent profiles, security teams can attempt to analyze threat indicators in real time. Indicators of attack are dynamic; they can be unpredictable in terms of how users exploit vulnerabilities.

Because indicators of attack are all about interactions with your network, it may be possible that the actions performed during the early stages of the cyberattack kill chain are not considered harmful.

For example:

• A cybercriminal may be impersonating a legitimate external user by using a Man in the Middle (MiTM) attack,
• an internal user may have fallen prey to a spear phishing attack,
• or an attacker may have installed malware on the systems that transfer sensitive user data to an external command and control server.

To understand the context of a computing interaction between servers, tools, and users, we need to analyze the end-to-end process.

Transferring sensitive data to a third-party preprocessing tool may be standard practice, however, there may be an instance where the user unknowingly installs a malware payload from a spear phishing attack. In this instance, the malware then masks the IP address of the command-and-control center, which is the intended destination of the exfiltrated data, and instead spoofs the IP to match an approved end-point location.

If network logs were analyzed individually across that journey, it is likely that all requests were either in compliance with the policies embedded into the firewalls at every node, or some unpatched vulnerability prevented a control action against unauthorized data transfers.

Analyzing indicators of attack

Now, consider a cyber threat detection system that takes a comprehensive and holistic approach to analyzing user behavior and computing interactions.

If we look at our previous cyberattack incident, a spear phishing attack likely left indications of malicious browser redirects and malware installation attempts. The network sees a high number of data access and transfer requests by the same user, who may be authorized, but does not regularly work with the targeted data assets and network resources. Data transfer to a third-party tool may be authorized, but it may not be common practice to continuously ping internal servers for external data transfer requests.

This is possibly an indication of compromised login credentials, and it can be verified by further investigating the login attempts and recent activities by the same user.

Evidence of malicious intent can come in many forms, here are just a few potential IoAs:

• External Server Requests: Indicates an attempt to exfiltrate data to an external server. These servers may be approved, but a compromised network endpoint can be modified to mask the final destination of the server requests originating externally.
• Persistent Internal Server Requests: An Advanced Persistent Threat (APT) may occur internally following a successful delivery of a malicious payload. These requests are aimed at spreading the attack laterally within the network and can be investigated using Endpoint Detection and Response (EDR) solutions.
• Honeypot Alerts: Set up a honeypot mechanism to attract interest from adversaries. There may be a fine line between authorized and legal use of honeypots for consumer-facing systems, considering the applicable user privacy and security laws.
• Masked Downloads: A malware download, and installation, may be masked by renaming a legitimate Windows system framework such as Powershell.exe to hide from monitoring tools.
• DDoS and MiTM Attacks: Any anomalous increase in traffic or redirect through unrecognized external servers can be an indication of a cyberattack that’s about to happen.

Indicators of Attack are different from Indicators of Compromise (IoC), the latter describing evidence of compromised network security. The key difference between the two is that IoA only establishes the intent of a user based on their interactions with the network before an attack is executed. Attackers may perform seemingly authorized actions but left unchecked, victims may be met with an unwelcome surprise.