What are indicators of attack (IOAs)?

IOAs contrast with indicators of compromise (IOCs). IOCs show that attacks have occurred or are at an advanced stage. IOAs provide evidence of threats before they strike.

Why are indicators of attack important?

Companies must be aware of network attacks. However, the speed of threat detection is critically important. Delays in detecting attacks can enable malicious actors to extract data or implant advanced persistent threats.

IOAs help solve this increasingly urgent security problem. Security tools that scan for IOAs allow companies to identify threats early. Security teams can secure compromised accounts or devices. They can launch triage processes to analyze attack techniques and prevent damage or data loss.

Indicators of attack (IOAs) vs indicators of compromise (IOCs)

Before discussing IOAs in depth, it is important to clarify the distinction between indicators of attack and indicators of compromise. IOAs and IOCs are both categories of threat data and play crucial roles in detecting and containing security incidents. However, there are some fundamental differences.

Indicators of attack

IOAs proactively seek patterns of activity that correlate with the tactics, techniques, and procedures (TTPs) of known threat actors.

For example, extended detection and response tools may scan for unusual data transfer patterns, unusual login times or locations, or unauthorized privilege escalations. This evidence may not be concerning on its own. However, correlation with TTPs may indicate an active (and early-stage) attack.

Indicators of compromise

IOCs look for evidence that systems are already compromised. For example, incident response teams may discover evidence of unusual file alterations or deletions. They may find IP addresses linked to attack groups or malicious agents on network devices.

IOCs are reactive. They do not block cyber threats at an early stage. However, they provide essential forensic information to guide investigators as they determine the scope and roots of cyber-attacks.

Types of indicators of attack

What kind of evidence can we use to detect attacks before they compromise data and applications? Advanced cybersecurity tools leverage data types when assessing and detecting threats. Types of IOAs include:

• Privilege escalations - Attackers often seek to escalate their privileges to access data or more powerful user accounts. Network users should have a stable set of permissions, giving them access to the resources they need. When users need additional privileges, security teams permit or deny requests based on business needs. Attempts to bypass or compromise this approval process qualify as IOAs.
• Internal network access - Threat actors need ways to move laterally between internal hosts throughout the network. Authorization systems usually limit lateral movement based on business need. Attackers understand this, using techniques to cloak their internal movement. However, security systems can detect unusual patterns of behavior. For instance, attackers may access applications for the first time or route traffic through new devices. This behavior is a vital IOA as it uncovers covert activity that typically passes undetected.
• Login patterns - Logins occur at the network edge or portals to access valuable resources. Activity at these locations can expose attacks before they approach data or seed malware on network devices. Scanning tools look for logins from unknown and unapproved devices. They check login locations, times, and frequencies (many repeated logins could expose a brute force attack).
• Unauthorized data transfer - Attackers generally seek a payoff from their activity beyond disruption. This often takes the form of data exfiltration from internal hosts. Security systems scan for unusual traffic spikes to external servers or traffic involving malicious IP addresses. They can also identify access attempts to data that should be off-limits. All of these pieces of evidence qualify as valuable IOAs.
• Email-related indicators - Many cyber-attacks start with phishing emails. Security tools look for evidence of phishing, including suspicious sender addresses, unapproved attachments, or embedded links to potential attack sites.
• File executions - Legitimate users regularly execute files during working activities. However, cyber-attackers also implant and execute malicious software as part of data exfiltration and ransomware attacks. Security teams look for anomalous command executions or novel scripts introduced to internal hosts. Tools scan for unapproved configuration changes or departures from normal user activities. For example, general users rarely possess deep tech knowledge. Config changes by these users are inherently suspicious.

Remember: We do not analyze the indicators of attack listed above in isolation. Security teams correlate many data points to discover patterns of behavior. Done quickly, this pre-empts threat actors before they gain access to network assets.

Examples of indicators of attacks

Cybersecurity analysts use indicators of attacks to strategically and proactively identify and neutralize threats. Let's explore some use cases to show how this works in real-world network settings.

Blocking data exfiltration by detecting lateral movement

Scanning tools detect unusual login patterns from an employee account and link this to a known phishing scam. Soon after, anomalous shell commands from a non-admin user signal a likely privilege escalation, and several suspicious process executions.

In this case, security tools generate a high-level alert based on several correlated IOAs. Phishing indicators, login patterns, and unusual executions suggest that attackers are seeking lateral movement to access high-value data. Security officers can respond quickly to notify the user, lock the account, and track any further access attempts.

Connecting data transfers and advanced persistent threats

As in the previous example, attackers use social engineering techniques to compromise an account. Scanning tools detect a flagged IP address and unusual lateral movement linked to the compromised account.

In this case, attackers successfully implant an APT and start transferring data from the company to command and control servers. Security tools immediately flag these transfers as suspicious via an outbound traffic spike. Device profiling also detects connections to unknown devices and transfers outside normal login times.

Security teams use these IOAs to quarantine the affected server before attackers can escalate to other databases or devices. They notify the user and secure their account, and promptly launch response processes, including compliance notifications.

Understanding the relationship between AI and IOAs

Artificial intelligence (AI) and machine learning underpin modern cybersecurity solutions. AI is the primary reason we can analyze indicators of attack, instead of relying on reactive security measures.

AI makes it possible to apply real-time behavioral analysis to vast amounts of network and endpoint data. AI tools can compare network activity with baseline patterns and adapt these benchmarks according to user activity. They correlate disparate pieces of data, discovering connections that human analysts would struggle to make. Enhanced analytics cuts the rate of false positives, allowing analysts to focus on high-risk alerts.

Advanced AI and machine learning are also predictive. They anticipate the type of threats posed to network assets. Solutions leverage threat intelligence databases featuring attack vectors and zero-day exploits. Combining emerging intel with historical data allows threat detection tools to block many threats instantly.

How do IOAs enable proactive cybersecurity?

Effective cybersecurity strategies must be proactive. Scanning for malware signatures or detecting data breaches after the event is insufficient. With data security regulations tightening and cyber threats multiplying, companies must detect attacks as quickly as possible.

Security solutions based on IOAs enable this kind of proactive approach for several reasons.

Early detection through real-time analytics

IOAs provide evidence of attacks at the earliest moment possible. Organizations can identify ongoing attacks and respond rapidly. Security teams can often avoid critical data breaches and network damage without compromising availability and network performance.

Reactive tools are inevitably slower, but every second counts when you are protecting sensitive data or protected health information. Organizations that focus on IOAs also tend to avoid lengthy mitigation processes after the event. Containing damage leads to lower overall costs and less system downtime.

Enhanced visibility and knowledge about relevant cyber threats

IOAs improve an organization's ability to analyze and respond to critical threats. Security teams can use information about access attempts, data transfers, and movement patterns. This allows teams to strategically assess the scope and severity of alerts.

Strategic responses are more likely to neutralize and eradicate network threats. They also save time that analysts can spend on threat hunting, assessing threat intelligence feeds, or fine-tuning the organization's security posture.

Better risk assessment, compliance reporting, and security improvement

Understanding IOAs helps you prioritize critical risks. Security teams can develop an understanding of how threats operate and how to remediate network vulnerabilities. This knowledge feeds into more accurate compliance (by assessing risks related to regulatory goals). It also helps security teams identify new risks before attackers compromise sensitive data.

Adopt a proactive security model with indicators of attack (IOAs)

Gathering and analyzing IOAs is the key to proactive cybersecurity. IOAs reveal the methods and behaviors of attackers as they attempt to access critical resources. Modern AI techniques enable organizations to identify how attackers work and to plot their likely targets. Teams can also use IOAs to triage alerts and determine the correct response.

Proactive security techniques catch threats early. Unlike older models, IOA-based security does not wait for compromises and data breaches to occur. Security professionals can safeguard networks by outpacing adversaries and anticipating their methods.