Indicators of Attack (IOAs) are designed to identify an attacker’s intent, regardless of the malware or exploit utilized in the attack. An IOC-based detection technique like AV signatures cannot identify the growing dangers of malware-free incursions and zero-day vulnerabilities.

What is a Compromise Indicator (IOC)?

In the forensics arena, an Indicator of Compromise (IOC) is commonly defined as evidence on a computer suggesting that the network’s security has been compromised. Investigators often collect this data after regularly being notified of a suspicious activity or when unexpected network call-outs are discovered. Ideally, this data is collected in order to develop “smarter” systems that can recognize and quarantine dangerous files in the future.

Indicator of Attack
Indicator of Attack
The IoC Pyramid of Pain

Attack Indicator – Physical World

One method to concentrate our discussion on Indicators of Attack (IOAs) is to present an example of how a criminal would plan and carry out a physical bank robbery.

A savvy burglar would begin by “casing” the bank, doing reconnaissance, and learning about any defensive flaws. He enters the bank after determining the ideal moment and methods to strike. The thief disables the security system before approaching the vault and attempting to break the combination. If he succeeds, he takes the loot, flees in peace, and completes the task. IOAs are a set of behaviours that a bank robber must display in order to succeed. Before accessing the vault, he must drive around the bank (identifying the target), park, and enter the building. It will sound an alert if he does not disarm the security system before entering the vault and taking the money.

Of course, behaviours such as driving around the bank, parking, and entering the bank do not suggest an impending assault. Furthermore, accessing a bank vault and removing cash is not always an IOA… if the individual has access to the vault. IOAs are triggered by specific combinations of activity.

Indicator of Attack – Cyber World

Consider an example from the cyber realm. An IOA is a set of acts that an opponent must make in order to succeed. We can demonstrate this notion by dissecting the most prevalent and successful method of determining adversaries, the spear phish.

To be effective, a phishing email must persuade the recipient to click on a link or open an attached document that would infect the system. Once the system has been infiltrated, the attacker will silently launch another process and retain persistence between system reboots. The next step is to contact a command and control station and alert his handlers that he is waiting for further orders.

IOAs are concerned with the execution of these stages, the adversary’s purpose, and the consequences he seeks. IOAs are not concerned with the precise means someone employs to achieve his goals.

We can discover how an actor successfully acquires network access and infer purpose by monitoring these execution sites, accumulating indicators, and consuming them using a Stateful Execution Inspection Engine. There is no need for prior knowledge of the tools or viruses (also known as Indicators of Compromise).

Using an Indicator of Attack to compare to an IOC.

Consider the bank robber instance again. What if we were only searching for IOCs? CCTV footage from a prior heist allowed us to identify the bank robber as driving a purple van, wearing a Baltimore Ravens cap and breaking into the vault with a drill and liquid nitrogen. Though we strive to follow and study these distinguishing qualities, his modus operandi (MO), what happens when the same man instead drives a red automobile, wears a cowboy hat, and opens the vault with a crowbar? The end result? Because we, the monitoring team, relied on clues that showed an outdated profile, the thief was successful once more (IOCs).

Remember that an IOA represents a set of steps that an actor/robber must take in order to be successful: enter the bank, deactivate the alarm systems, enter the vault, and so on.

Indicator of Attack are Real-time Recorders.

The capacity to gather and evaluate precisely what is happening on the network in real time is a byproduct of the IOA strategy. Observing the actions as they occur is like watching a video camera and accessing a flight data recorder in your surroundings.

In the real world, when a detective arrives at a crime scene with a gun, a body, and some blood, they usually ask if anyone has footage of what happened. The blood, corpse, and pistol are point-in-time artifacts that must be painstakingly rebuilt. In a nutshell, IOAs supply content for video logs.

The power of an IOA in the Cyber world is to show you how an adversary sneaked into your environment, accessed files, leaked passwords, moved laterally, and finally exfiltrated your data.

Chinese Actor as an IOA Real-World Example

The following sample action, attributable to a Chinese actor, was documented by an Intelligence Team. The following example shows how one adversary’s activities evaded even endpoint defences.

  • This enemy employs the following strategies:
  • Malware in memory never writes to disk.
  • Windows PowerShell with command line code is a well-known and respectable IT tool.
  • Cleans up after itself, leaving no trace.
  • Let’s look at the difficulties that other endpoint solutions face with this tradecraft:
Indicator of Attack
Indicator of Attack
Difference between IoA & IoC

Anti-Virus – Because the virus is never copied to disk, most AV systems configured for on-demand scanning will not be notified. On-demand scanning is only activated when a file is written or accessed. Furthermore, owing to the performance impact on the end user, most proactive businesses only do a thorough scan once a week. If defenders were running this full scan and the AV vendor could scan memory with an updated signature, an alert of this behaviour may be generated.

AV 2.0 solutions employ machine learning and other ways to assess if a file is suitable or dangerous. PowerShell is a genuine Windows system management tool that has not been discovered as malicious (and should not be). As a result, these solutions will not warn clients about this conduct.

Whitelisting – Because Powershell.exe is a well-known IT application, it would be permitted to run in most situations, eluding any whitelisting solutions that may be in place.

IOC Scanning Solutions – Since this attacker never writes to disk and always cleans up after themselves, what would we look for? IOCs are known artifacts, and there are no other artifacts to uncover in this situation. Furthermore, most forensic-driven solutions need periodic “sweeps” of the targeted systems, and if an adversary can operate between sweeps, he will go unnoticed.

Rhyno Cybersecurity can discover who the adversary is, what they are attempting to access, and why by concentrating on targeted attackers’ strategies, techniques, and processes. By the time you notice Indicators of Compromise, your business has likely already been compromised, necessitating an expensive incident response effort to repair the damage.

By capturing and accumulating attack indications and consuming them through a Stateful Execution Inspection Engine, you empower your team to see and respond in real-time. Accessing your network flight recorder avoids time-consuming chores connected with “fitting the pieces together” after the event. Giving first responders the tools they need to recreate a crime scene is a cost-effective and proactive method of dealing with sophisticated, persistent threats.

Sharing is Caring!

You are welcome to put this blog article on your website, provided you also append an active link to our website “Source: https://resources.rhyno.io”

For media enquiries, contact us at [email protected].


Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.


About Rhyno Cybersecurity Services

Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.

Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.

This website uses cookies to improve your online experience. By continuing, we will assume that you are agreeing to our use of cookies. For more information, visit our Cookie Policy.

Privacy Preference Center