What are Indicators of Attack (IOA) in Advanced EPDR/EDR?

What are Indicators of Attack (IOA) in Advanced EPDR/EDR?

By June 12, 2023EDR, EPDR, Support
+34 900 840 407
support@cytomic.ai

What are Indicators of Attack (IOA) in Advanced EPDR/EDR?

Related Products_
  • Advanced EPDR
  • Advanced EDR
Introduction to IOA Concepts_

This section details the concepts that administrators need to know to understand the processes involved in the detection of IOAs, and in the execution of remedial actions (automatic and manual).

Event
An action executed by a process on a user’s computer and monitored by Advanced EPDR/EDR. Events are sent to the cloud in real time as part of the telemetry. Automated analysis advanced technologies, analysts, and threat hunters analyze them in their context to determine whether they could be part of the CKC of a cyberattack.

Indicator
A sequence of unusual actions found in the events generated on customers’ computers and which could be part of an early-stage cyberattack.

Indicator of attack (IOA)
This is an indicator with a high probability of being a cyberattack. These are generally attacks in early stages or in exploit phase. These attacks do not normally use malware, as adversaries usually use the operating system’s own tools to execute the attack and thereby hide the traces of their activity. We recommend that you contain or remedy attacks as soon as possible.

To help manage IOAs, Advanced EPDR/EDR gives each one a status which can be manually edited by the administrator:

  • Pending: The IOA is pending investigation and/or resolution. The administrator must verify whether the attack is real and take the necessary measures to mitigate it. All new IOAs are created with the status ‘Pending’.
  • Archived: The IOA has already been investigated by the administrator and the remedial actions have been taken, or were unnecessary as it was a false positive. The administrator closes the IOA for any of these reasons.

Advanced EPDR/EDR shows relevant IOA information, such as the MITRE tactic and technique used, the events recorded on the computer that generated the IOA, and, if available, the following reports:

  • Advanced attack investigation: Includes information about the computer involved, a detailed description of the tactics and techniques used, recommendations to mitigate the attack, and the sequence of events that triggered the generation of the IOA.
  • Attack graph: Includes an interactive diagram with the sequence of events that led to the generation of the IOA.

NOTE: The reports last for a month after the IOA is generated. After this period, they are no longer accessible. Also, a report shows the events that are part of the attack for the 30 days prior to the detection of the IOA.

Indicators of Attack_

Advanced indicators of attack provide in-depth monitoring of the applications on your computers. They enable you to detect suspicious behaviors, analyze the events generated by applications, and determine if an event is an IOA.

The mere presence of this type of indicator of attack does not mean that an attack is taking place. You must analyze the advanced indicator of attack to determine whether it is an attack or not.

Advanced EPDR/EDR shows relevant information about advanced IOAs, such as the MITRE tactics and techniques used, and the sequence of events logged on the computer that generated the IOA.

NOTE: Advanced indicators of attack are compatible only with Windows computers.

CKC (Cyber Kill Chain)
In 2011, Lockheed-Martin drafted a framework or model for defending computer networks, which stated that cyberattacks occur in phases and each of them can be interrupted through certain controls. Since then, the Cyber Kill Chain (CKC) has been adopted by IT security organizations to define the phases of cyberattacks. These phases range from remote reconnaissance of the target’s assets to data exfiltration.

MITRE Corporation
A not-for-profit company that operates several federally-funded R&D centers dedicated to addressing security issues. It offers practical solutions in the fields of defense and intelligence, aviation, civil systems, national security, judiciary, health, and cybersecurity. It is the creator of the ATT&CK framework.

ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge)
A set of resources developed by the MITRE Corporation to describe and categorize cybercriminal activities based on observations from around the world.. ATT&CK is a structured list of known attack behaviors categorized into tactics and techniques and shown as a matrix. Because this list is a comprehensive representation of the behaviors that hackers use when they infiltrate networks, it is a useful resource to develop defensive, preventive, and remedial strategies for organizations. For more information about the ATT&CK framework, see https://attack.mitre.org/

Technique (‘How’)
In ATT&CK terminology, techniques represent the method (or the strategy) that an adversary uses to achieve a tactical objective. In other words, the ‘how’. For example, to access credentials (tactic), an adversary executes a data dump (technique).

Sub-Technique (‘How’)
In ATT&CK terminology, sub-techniques represent the “how” of a specific technique. They refer to the processes or mechanisms used by adversaries to achieve the objective of a tactic. For example, password spraying is a type of brute force attack to accomplish the objective of the Credential Access tactic.

Tactic (‘Why’)
In ATT&CK terminology, tactics represent the ultimate motive or goal of a technique. It is the tactical objective of the adversary: the reason to take an action.

Managing Indicators of Attack_

By default, Advanced EPDR/EDR assigns an Indicators of attack (IOA) settings profile to all computers on the network, with all types of IOAs enabled by default. To disable the detection of a specific type of IOA:

  1. Click the Settings menu at the top of the console. Click Indicators of attack (IOA) from the side menu.
  2. Click the Add button. The Add settings page opens.
  3. Select the IOAs that Advanced EPDR/EDR is to search for in the telemetry generated by the computers.
  4. Select the computers that you wish to receive the new settings profile and click OK.
Show all IOAs detected on a network_
  1. Click the Status menu at the top of the console.
  2. Click Indicators of attack (IOA) from the side menu.
  3. At the top of the page, you can see the time period to show.
  4. The Threat Hunting Service widget shows the events, indicators, and indicators of attack detected during that period.
  5. Click the Indicators of attack area. The Indicators of attack (IOA) list opens. This list shows all the IOAs detected during the selected period.

Each IOA shown in the Indicators of attack (IOA) list has a context menu with the options:

  • View the IOAs detected on this computer
    Shows the Indicators of attack (IOA) list filtered by the Computer field.
  • View the computers on which this IOA was detected
    Shows the Indicators of attack (IOA) list filtered by the Indicator of attack field.
  • Archive IOA
    When the event that triggered an IOA has been resolved, or when it has been found to be a false positive, the administrator can archive the IOA.