|

Indicators of Attack

Table of Contents

    Cybersecurity 101 Categories

    Access Control

    66 Posts

    Application Security

    17 Posts

    Authentication

    75 Posts

    Compliance

    10 Posts

    Cyber Threats

    64 Posts

    Endpoint Security

    12 Posts

    General Security

    33 Posts

    IoT Security

    17 Posts

    Network Security

    67 Posts

    Networking

    37 Posts

    Zero Trust

    31 Posts
    Back to Cybersecurity Center

    What are Indicators of Attack?  

    In cybersecurity, Indicators of Attack (IoAs) are the signs or pieces of evidence that indicate an attacker is actively attempting to compromise a system or network. They focus on the attacker’s intent and actions, rather than the specific tools or malware they might be using. This approach helps security professionals identify and mitigate threats before they can cause significant damage.  

    Common indicators of attack to watch out for: 

    1. Suspicious network traffic

    • Communication with known malicious or unusual external destinations: Attackers often use command-and-control servers located outside the organization’s network to control compromised systems or exfiltrate data. 
    • Lateral movement within the network: Attackers often try to move from a compromised system to other systems within the network to gain further access or locate valuable data. Look for unusual communications or data transfers between internal hosts. 
    • Sudden spikes in traffic: Unusual network activity—especially to ports not typically used by legitimate applications—or other unusual, unauthorized outbound communications may be an indicator of malware presence.  

    2. Unusual login activity

    • Multiple failed login attempts: This can be a sign of a brute force attack where an attacker is systematically trying different passwords to gain access to accounts. Multiple failed login attempts from unknown locations or unusual login times may indicate a brute force attack. Portnox can help detect and alert on such failed login attempts, enabling security teams to investigate potential credential compromise attempts. 
    • Login attempts from unusual locations or at odd hours: If a user account suddenly shows logins from a country they don’t usually work from, or at a time outside their typical working hours, it could indicate stolen credentials or a compromised account.  

    3. Command execution

    • Running unusual scripts, commands, or processes: Attackers might try to execute malicious scripts or commands to install malware, disable security features, or gain control of a system.  

    4. Anomalous file activity

    • Unauthorized access to files: Accessing files that are not typically part of a user’s job role or responsibilities can be a sign of an attack. 
    • Mass file downloads: Large amounts of data being downloaded, especially from sensitive areas, could indicate data exfiltration efforts. 
    • Abnormal file modifications: Unexpected changes to system files or registry keys can be caused by malware or attackers trying to cover their tracks.  

    5. Privilege escalation attempts

    • Attempts to gain higher-level access: Attackers often try to escalate their privileges within a system to gain more control and access sensitive information.  

    6. Malware reinfection

    • Repeated reinfection of a system shortly after malware removal: This could indicate an advanced persistent threat (APT) that is constantly trying to regain access to the network.  

    7. Phishing campaigns

    • Increased number of suspicious emails with malicious links or attachments: phishing is a common attack vector used to steal credentials or install malware.  

    Note that an IOAs detect attacks before damage is done, while Indicators of Compromise (IoCs) shows evidence of a breach, signaling that an attack has already occurred and your network has already been compromised. 

    How do IOAs detect threats? 

    Indicators of Attack (IOAs) detect threats in real-time, or nearly real-time, by identifying the behaviors and tactics attackers use—before or as an attack unfolds. Unlike IOCs (Indicators of Compromise), which spot evidence after a breach, IOAs are proactive: they monitor for malicious intent as it happens. 

    Here’s how they work: 

    1. They Monitor Behavior, Not Just Signatures 

    Traditional antivirus looks for known malware files (signatures), but IOAs detect how an attacker behaves, even if the specific malware is unknown. 

    Examples of behaviors that IOAs detect: 

    • PowerShell or scripting abuse (e.g., disabling antivirus) 
    • Unusual privilege escalation attempts 
    • Lateral movement across internal systems 
    • Credential dumping or token theft  
    • Suspicious process chaining (e.g., Word spawning cmd.exe) 

     

    2. They Use Telemetry from Endpoints, Networks, and Cloud Services 

    Real-time IOA detection requires constant data flow from: 

    • Endpoints (via EDR agents like CrowdStrike, SentinelOne, Defender) 
    • Cloud services (via API telemetry from platforms like Microsoft 365, AWS, Okta) 

    This telemetry includes: 

    • Process creation logs 
    • API calls and identity behavior 
    • Device posture and location changes 
    • Application usage patterns 

     

    3. They Apply Contextual Analytics & Correlation 

    Raw behavior isn’t enough. IOA systems correlate signals across users, devices, and sessions to distinguish normal from abnormal. 

    Examples: 

    • A single PowerShell command may be normal, but that same command after a login from a new device could be flagged as malicious. 

    This correlation is often powered by: 

     

    4. They Trigger Automated Responses 

    Once suspicious activity is detected, IOA-enabled systems can respond instantly by: 

    • Isolating the device from the network 
    • Revoking session tokens 
    • Triggering step-up authentication 
    • Alerting the SOC or SOAR playbooks 

    This ability to interrupt an attack in progress is the true value of IOAs.  

    IOAs detect threats in real time by watching for how attackers operate—not what they use. This makes them ideal for stopping new, evasive, or fileless attacks that traditional tools might miss. 

     

    How do I implement IOAs into my network security? 

    Implementing Indicators of Attack (IOAs) into your network security strategy means shifting your defenses from reactive (based on known threats) to proactive and behavior-driven. Below is a step-by-step guide tailored for IT teams and CISOs — especially within zero trust or modern hybrid environments.  

    1. Deploy Behavior-Based Detection Tools 

    IOAs rely on detecting attacker behavior, not just matching known signatures. 

    Recommended Solutions: 

    • Network Detection & Response (NDR) — e.g., Darktrace, ExtraHop 
    • User and Entity Behavior Analytics (UEBA) — often included in SIEM/XDR platforms 

    Why: These tools analyze user, device, and network behavior to detect anomalies like credential dumping, lateral movement, or unusual process execution. 

     

    2. Integrate Real-Time Telemetry Across Security Layers 

    Connect identity, device, network, and cloud logs into a central platform (usually a SIEM or XDR). 

    Key Data Sources to Feed: 

    • EDR/AV logs 
    • NAC/ZTNA posture data 
    • Firewall and DNS traffic 
    • Cloud activity (e.g., AWS CloudTrail, O365 logs) 

    Why: IOAs often emerge through correlation — e.g., a login from an unusual location followed by PowerShell use and privilege escalation. 

     

    3. Define IOA Detection Rules and Use Threat Frameworks 

    Leverage frameworks like MITRE ATT&CK to define attacker behavior patterns and model likely tactics. 

    Actions: 

    • Use built-in IOA rules in EDR platforms 
    • Customize detection logic in SIEM/XDR based on common attack chains 
    • Simulate common IOAs (e.g., password spraying, token theft) in your environment 

    Why: MITRE-aligned detection improves visibility into attacker goals, not just tools. 

     

    4. Automate Responses to IOAs 

    Once IOAs are detected, automate containment to reduce response time. 

    Common Automated Actions: 

    • Quarantine device via NAC or EDR 
    • Re-authenticate user or revoke session tokens 
    • Isolate access to sensitive apps 
    • Trigger alerts with full context 

    Why: Speed is critical — the goal is to block or limit lateral movement and escalation before exfiltration or persistence. 

     

    5. Test and Validate Your IOA Coverage 

    Run simulated attacks to see if IOAs are detected and if responses are triggered. 

    Tools: 

    • MITRE CALDERA 
    • Red Canary Atomic Red Team 
    • Commercial breach and attack simulation platforms 

    Why: Validates that your rules, integrations, and response playbooks work in real-world conditions. 

     

    6. Continuously Improve Based on Threat Intelligence and Incidents 

    Even though IOAs focus on behavior, IOC feeds and TTP reports can help refine them. 

    • Update detection rules based on recent adversary behavior 
    • Track attacker techniques from real-world breach reports 
    • Use machine learning (in tools like UEBA or XDR) to adapt over time 

    Why: Attackers evolve — your IOAs should too. 

     

    How are IOAs used in zero trust security? 

    While IOAs and IOCs are conceptually the same across all environments, how they’re used and prioritized differs significantly in a zero trust environment compared to traditional perimeter-based security models. 

    In Traditional (Perimeter-Based) Security Environments 

    Focus is on IOCs 

    • Systems often rely on signatures and blacklists (e.g., known IPs, malware hashes). 
    • Detection happens after the threat has entered the network. 
    • IOAs may be underutilized due to lack of behavioral analytics or real-time enforcement. 

    Limitation: Attackers can move laterally or escalate privileges before detection occurs, because trust is often implicit once inside the perimeter. 

    In Zero Trust Environments 

    Priority shifts to IOAs 

    • Zero trust assumes compromise is possible at any moment. 
    • Continuous evaluation of user behavior and device posture is core to the model. 
    • IOAs are used to detect intent and trigger immediate enforcement (e.g., quarantine, re-auth, access revocation). 

    IOCs still play a role, but mainly in: 

    • Retrospective investigation 
    • Automated blocking of known bad actors 

     

    How IOAs and IOCs Work Together in Zero Trust Environments

    RoleIOAs (Behavior) IOCs (Evidence)
    Use in Zero TrustReal-time access control, enforcementPost-event analysis, rule updates
    Detection Timing Before or during the attack After the compromise
    Integration Points NAC, ZTNA, EDR, UEBASIEM, threat intel feeds, email gateways
    Typical Response Block, re-auth, isolate, alertHunt, contain, patch, update detections

    Summary 

    In a zero trust environment, IOAs take center stage — enabling real-time decisions and continuous enforcement. IOCs are still valuable, but they play a supporting role for investigation, threat intel, and long-term defense. 

    Whether you implement IOA capabilities in a cloud-based or on-premise environment makes a significant difference, and your decision should depend on your organization’s architecture, agility needs, and security goals. That said, for most mid-market and modern enterprises, a cloud-native or hybrid model is ideal — especially when implementing IOAs in support of zero trust.