IOAs In Cyber Security

IOC helps us with the information of attack that has already happened. So, what if we gather the information during the attack ? This leads us to the concept of IOAs.

IOAs stand for “ Indicator of Attack ”.

Indicator of Attack is a collection of data sets that gives relevant information for the particular attack. IOAs can help us understanding the current situation and events that are taking place in the moment. IOAs works towards influencing focus and drive towards defensive measures to lower risk.

IOAs focuses on detecting the purpose of what the attacker is trying to accomplish in real-time , regardless of exploit used in attack. Zero day exploits and malware -free attacks will not be detected using an IOC-based approach or antivirus signatures. So, next generation security solutions are moving towards IOA- based approach.

Example:

Spear- phishing- A successful email must induce the target to click on link or an attachment to infect the machine. After this, it may run the desired process and can interact with commmand and control site.

These sequence of events can be seen with the IOA-based approach without even knowing which tool or exploit are used .

Some other example of IOAs are given below:

1. Internal hosts communicating with bad destinations or destinations where the business is not conducted.

2. Internal hosts communicating to external hosts using non-standard ports

3. Publically servers or demilitarized zone (DMZ) hosts communicating to internal hosts.

4. Multiple alarm events from single host

5. The system gets reinfected with malware after cleaning it.

6. Multiple login from different regions.