Zac Amos September 30, 2024
Collected at: https://datafloq.com/read/implement-ai-to-detect-indicators-of-attack-ioas/
You must catch attacks early to defend against cybercrime effectively. That’s often easier said than done, but indicators of attack (IOAs) make it possible.
IOAs let security teams identify and stop attacks before they cause damage. Now that artificial intelligence (AI) is improving efficiency across many applications, businesses can use it to detect these signals faster and more accurately.
What Are Indicators of Attack?
IOAs are evidence that someone is trying to execute an attack. They reveal the attacker’s intent, exposing what they’re attempting to do – not what they’ve already done or their specific techniques.
Cybercriminals typically must complete several steps to perform an attack successfully. They must investigate the target, deliver malicious code or exploit a vulnerability, use lateral movement to access more data, and take control of a system. If you can identify the intent to perform any of these early steps, you can stop attacks before losing anything.
IOAs don’t just reveal that an attack is taking place. They determine why something is happening, not how it is. That way, security teams can understand what the attacker may do next, leading to more effective fixes.
IOAs vs. IOCs
It’s important to distinguish IOAs from a similar but distinct concept – indicators of compromise (IOCs). An IOC is also evidence of an attack, but it focuses on the “what” and “how” of the event, not the “why.”
Whereas IOAs identify a potential threat by revealing attackers’ intent, IOCs show that an attack has already happened. Examples include malware signatures, suspicious activity from insider accounts, and sensitive data moving to locations it shouldn’t. They show a trail of damage, which can still help companies respond to an attack, but don’t provide the early warning IOAs do.
IOA Examples
Specific IOAs vary depending on the system and attack method, but some commonalities exist. Here are a few common IOA categories to watch out for.
1. Unusual Communications
Abnormal network communications are typically good indicators of a potential attack. Public servers communicating with internal hosts could indicate data exfiltration, the most common insider threat type. The same goes for internal hosts connecting to servers in countries you don’t do business in.
A spike in short-lived connections between different internal hosts could suggest lateral movement. Communications from ports your network normally doesn’t use are likely if someone is trying to get around your security system.
2. Login Abnormalities
Unusual login activity is another common kind of IOA, especially considering how prevalent account compromise attacks are. The most straightforward of these is multiple login attempts from one party in a short time frame, suggesting a breached account or credential stuffing.
Logins from numerous geographic locations are a similar IOA. One place likely represents the real, authorized user and the other is an attacker trying to use the same credentials. As email security threats become more common, these factors will become increasingly important to monitor.
3. Traffic Spikes
Atypical network traffic can also be an indicator of attack. While spikes aren’t always suspicious – employees logging in at once and seasonal traffic from consumers are common culprits – some signals warrant investigation.
A sudden surge in Simple Mail Transfer Protocol (SMTP) traffic could suggest email compromise. A spike from external servers could be a distributed denial-of-service (DDoS) attack. These have increased by almost 400% between the first and second quarters of 2023, so this is a big IOA to look for.
Why You Should Use AI to Detect IOAs
Detecting these indicators provides a crucial edge in cybersecurity. With the annual cost of cyberattacks expected to reach $10.5 trillion in 2025, organizations need all the advantages they can get. Because IOAs enable earlier, more targeted responses than IOCs, they let you resolve issues with less disruption. However, manual methods are often too slow or inaccurate to do so effectively. AI is a better alternative.
The world is short 3.4 million cybersecurity workers, so many organizations lack the staff to continuously monitor for IOAs manually. AI helps automate this task, letting understaffed IT departments focus on other issues. AI can also recognize signals faster than humans, enabling near-immediate detection and response.
AI IOA detection is also more reliable. Repetitive tasks are inherently prone to error when done manually, but AI delivers the same standard in every instance, virtually eliminating mistakes. That means fewer missed threats and false positives.
Best Practices for Detecting IOAs With AI
Like any other AI application, detecting IOAs with AI requires careful implementation. Here’s how you can realize this technology’s full potential.
1. Define Clear Use Cases and Goals
The first step to effective AI adoption is defining a clear use case. Be more specific than simply saying you’ll use AI to detect IOAs. Determine which types you’ll look for in which networks.
Similarly, you should outline clear goals for your IOA detection. That could mean identifying a certain number of IOAs, reducing false positives by a given amount, or lowering incident response costs. These targets will help you determine an ideal AI tool and measure its success.
The more specific you are in this outline, the better. Unrealistic expectations and failing to align use cases with AI’s capabilities are among the most common causes of failure in AI projects. Having a clear, realistic, and relevant strategy will prevent those outcomes.
2. Choose an AI Solution Carefully
Choose an appropriate AI solution once you have clear goals in mind. This decision starts with choosing between off-the-shelf products and developing your own AI application. The former is best if you lack in-house AI talent or sufficient data, while the latter may be better if you have particular needs.
There are almost always tradeoffs, so consider your most prominent threat types when choosing or training an AI model. If you experience account compromise attempts more than anything else, it should focus on detecting login-related IOAs.
Remember to consider budgetary constraints and ease of use, too. The easier it is to understand the AI’s IOA warnings, the more effective it will be.
3. Set and Monitor KPIs
Next, it’s time to set key performance indicators (KPIs) to monitor your AI’s success. These should align with your IOA detection goals. Possible IOA-related KPIs include the number of detections, false positives, and incident response times.
After deciding which KPIs are most relevant to your goals, measure them before implementing the AI solution. This will give you a baseline to compare your future performance against.
It’s important to keep measuring these KPIs over your AI implementation, not just once. While many AI models get more accurate over time, they can also get worse in some cases. Failing to recognize that trend early could lead to significant risks in a security context. Consequently, you should regularly monitor IOA-related KPIs to ensure everything’s working as intended.
4. Emphasize Communication
It’s easy to overlook the human side of security once you implement AI, but that’s a mistake. Automated IOA detection can improve your incident response, but it’s still up to humans to manage these alerts. Communication is key to that management.
Communicate with all team members about the new AI solution before implementing it to prepare them for the new workflow. Once it’s in place, encourage open communication between teams to identify potential problems with the system. These discussions will help refine the AI solution to achieve optimal results earlier.
This communication is particularly important when the AI detects an IOA. Create a specific protocol for sharing and responding to these alerts to enable quick, accurate responses.
5. Ensure Humans Have the Final Say
Finally, your security employees must verify all AI-recommended actions. AI still carries numerous concerns, so humans must always have the final say.
Whenever the model alerts employees about a potential IOA, security pros must review it to determine its validity. The next steps should also be up to these experts. AI can help by recommending relevant measures, but it shouldn’t take action on its own beyond isolating a potential threat and alerting employees.
Stop Attacks Before They Happen With AI
Indicators of attack are some of your greatest assets in minimizing cyberattack damage. To use that advantage to its fullest extent, you must employ AI.
AI IOA detection may not be perfect, but it’s far superior to manual alternatives. When you know what it can do and how to manage it effectively, you can use it to achieve new protection standards.
Leave a Reply