05/31/2023 | News release | Distributed by Public on 05/31/2023 12:51
Indicators of attack (IoAs) refer to the series of behaviors that a cybercriminal exhibits prior to executing a cyberattack. The intent of cybercriminals may be evaluated during the research stage of the cyberattack kill chain - where they investigate potential entry points, and collect data about the company, users and technology systems in place.
Indicators of attack are not so much a static description of the attacker, but a dynamic profile of how an attacker interacts with your technologies and users.
As an example, consider a bank's security approach.
Let's say the bank's security scans for customers that match the description of robbers involved in a string of prior robberies in the area, as alerted by the local authorities. Security only acts on visitors with a similar description, investigates their presence, and allows all other visitors inside, without hindrance.
This is analogous to antivirus solutions using known virus signatures to determine if a computing interaction suggests virus installation or malware delivery across the network. However, if the adversary exploits a Zero-Day vulnerability and develops a new virus to infiltrate the system, traditional signature-based network security tools will fail to defend against the attack.
In our bank analogy, if a thief were to adopt a new method of entering the bank, security would be much less likely to notice their entry.
The goal of studying IoAs is to understand the intent of a malicious user accessing the information and network resources of the organization, even when a malicious payload is not yet delivered, and all computing interactions can be considered as legitimate and authorized.
It is only when evaluating indicators of attack in the big picture, that the patterns of data collection and attempts to access the network start resembling an adversary with malicious intent.
Rather than limiting security to searching for a series of stringent profiles, security teams can attempt to analyze threat indicators in real time. Indicators of attack are dynamic; they can be unpredictable in terms of how users exploit vulnerabilities.
Because indicators of attack are all about interactions with your network, it may be possible that the actions performed during the early stages of the cyberattack kill chain are not considered harmful.
To understand the context of a computing interaction between servers, tools, and users, we need to analyze the end-to-end process.
Transferring sensitive data to a third-party preprocessing tool may be standard practice, however, there may be an instance where the user unknowingly installs a malware payload from a spear phishing attack. In this instance, the malware then masks the IP address of the command-and-control center, which is the intended destination of the exfiltrated data, and instead spoofs the IP to match an approved end-point location.
If network logs were analyzed individually across that journey, it is likely that all requests were either in compliance with the policies embedded into the firewalls at every node, or some unpatched vulnerability prevented a control action against unauthorized data transfers.
Now, consider a cyber threat detection system that takes a comprehensive and holistic approach to analyzing user behavior and computing interactions.
If we look at our previous cyberattack incident, a spear phishing attack likely left indications of malicious browser redirects and malware installation attempts. The network sees a high number of data access and transfer requests by the same user, who may be authorized, but does not regularly work with the targeted data assets and network resources. Data transfer to a third-party tool may be authorized, but it may not be common practice to continuously ping internal servers for external data transfer requests.
This is possibly an indication of compromised login credentials, and it can be verified by further investigating the login attempts and recent activities by the same user.
Evidence of malicious intent can come in many forms, here are just a few potential IoAs:
Indicators of Attack are different from Indicators of Compromise (IoC), the latter describing evidence of compromised network security. The key difference between the two is that IoA only establishes the intent of a user based on their interactions with the network before an attack is executed. Attackers may perform seemingly authorized actions but left unchecked, victims may be met with an unwelcome surprise.
This posting does not necessarily represent Splunk's position, strategies or opinion.