Mitigating cyberattacks with IOAs and IOCs

Paper with Indicator of Attack (IOAs) and Indicator of Compromise (IOCs)

IOA and IOC – what’s the difference and why you should pay attention to them

Being able to mitigate cyberattacks is key to business success in today’s digital age. Indicator of Attack (IOAs) and Indicator of Compromise (IOCs) are two important parts of ensuring your network is safe and secure.  

IOAs demonstrate the intentions behind a cyberattack and the techniques used by malicious actors to accomplish their objectives. An IOC is the digital evidence provided that proves a cyber incident has taken place. This is conducted via intelligence gathering by security teams during scheduled security audits or in response to speculations of a network breach. 

Breaking down IOAs 

The cyber threats themselves like ransomware, malware, or advanced threats, don’t really come into play when analysing IOAs. The only thing that counts is the sequence of events that leads up to the deployment of a cyber threat. However, IOAs can be understood best in the context of a cyberattack, and in three stages:  

  1. Attacks usually start via a phishing campaign. By using the credentials inadvertently divulged by unsuspecting workers, hackers are able to breach an IT perimeter. 
  1. The cyberattacker will then be able to move through your network looking for privileged credentials to access sensitive data
  1. Finally, a data breach occurs once the credentials have been compromised. 

IOAs will reveal the motivations behind a cyberattacker, but the tools used to accomplish the attack are of little to no importance. IOAs focus on the whys behind a cyberattack stage, and the IOCs focus on the how. 

Indicators of Attack examples 

These IOA examples are based on the most frequent cybercriminal behaviour: 

  • Remote communications from criminal servers and data exfiltration occurs when public servers communicate with internal hosts. 
  • Connections via abnormal ports rather than ports 443 or 80. 
  • Inter-host communications with countries outside of business range. 
  • Inter-host communications within narrow timeframes.  
  • Many Honeytoken alerts from one host, especially if they occur during odd hours. 
  • Extreme SMTP traffic is usually a sign of a compromised system being used to launch DDoS attacks. 
  • Malware reinfection soon after removal could be a sign of an Advanced Persistent Threat.  
  • Logins from different regions could be a sign of stolen credentials.  

The difference between IOCs and IOAs 

Mitigating cyberattacks with IOAs, and IOCs is crucial but understanding the difference is equally as important. IOAs occur before a data breach while an IOC is the evidence provided that proves a cyberattack has taken place. The difference between the two is their position on the cyberattack timeline.  

IOCs are static while IOAs are dynamic 

The footprint of a cyberattack doesn’t change over time. C&C connections, Backdoors, IP addresses, hashes, event logs, and more always remain the same. They provide threat intelligence for security teams to defend against future cyberattacks. This is why IOC-based detection methods are static. 

On the other hand, IOA data is dynamic simply because cybercriminal activity is dynamic. Prior to a data breach, an attacker has to progress through a number of attack stages and navigate between various attack techniques. IOA detection methods are geared to pinpoint the 14 phases of cyberattack activity as it’s evolving. 

IOA data is monitored in real-time 

IOA data will change as an attacker progresses through the cyberattack lifecycle, underlining the need to ensure that data is monitored in real-time. IOA data indicates how a network was breached, the privileged credentials that were compromised, and the backdoors that were established. This information will help a security team intercept a cyberattack as it’s developing which will mitigate the overall risk to a company. IOAs support a proactive approach to cybersecurity while IOCs provide reactive forensic-driven responses. 

The weaknesses in IOC-based detection mechanisms 

There are several weaknesses, however. IOC-detection methods are not able to intercept cyber threats not characterised by static signatures. Cyber threats such as Zero-Day Exploits haven’t been assigned a signature so will pass through security controls programmed for signature detection. A good example of static-signature-based cybersecurity control is antivirus software. 

IOC-driven solutions have other limitations such as their predictable attack surface scanning schedules. Advanced Persistent Threats (APTs) are capable of pausing attacker activity during security scans then continuing them after each is finished. 

A combination of IOA and IOC driven strategies 

IOCs alone cannot help cybersecurity teams intercept cyberattack attempts. If either IOA or IOC strategies are implemented alone they will create deficiencies in cybersecurity programs. When combined, the strengths of one strategy compensates for the deficiencies of the other. The combination of IOAs and IOCs provides greater context for threat hunters, helping them understand the primary objectives of an attack so that the damage caused can be mitigated. 

Get in touch with RiskXchange to find out more about mitigating cyberattacks with IOAs and IOCs.