Posted on March 10, 2023
Estimated reading time 4 minutes
Insurance companies are bracing for the number of cyber attack insurance claims to double this year as unscrupulous threat actors look to take advantage of many businesses’ precarious financial situations.
Delivering round-the-clock protection in the face of ever-evolving cyber threats is difficult enough for SOC teams to manage, even at the best of times. But recent frightening reports on the state of cyber security worldwide from Microsoft and IBM should give every business owner pause for thought – especially if they operate with shrinking remote or hybrid working teams.
To put these cyber security dangers into perspective, Microsoft found that 921 password attacks occur every second. Furthermore, X-Force saw a 100% increase in thread hijacking attempts in one month in 2022. A thread hijacking attempt is when a cyber attacker steals email information to impersonate a regular user for infiltration purposes. Therefore, it’s no surprise that 83% of companies believe it is a question of ‘when’ not ‘if’ they are likely to get targeted by cyber criminals.
In this high-threat cybersecurity landscape, deploying the right tools and expertise at the right time will help companies identify potential threats and take proactive steps to minimise their attack surfaces, even if their budgets have been squeezed in recent months.
In this article, we’ll explain how Atech’s informative one-to-one Defend Against Threats workshops help companies identify Indicators of Attack (IoA) and Indicators of Compromise (IoC) with Azure Sentinel SIEM and XDR.
What are Indicators of Attack (IoA) and Indicators of Compromise (IoC)?
Indicators of Attack (IoA) are threat signals that give away the malicious intent of a cyber criminal, regardless of the attack methods they use. For example, suppose a criminal was planning to rob a bank. In that case, an IoA might include them hanging around outside the building, examining the bank entrances and exit points.
In computing terms, an IoA might be network activity showing multiple password login attempts from different regions. This is a sign of unusual user behaviour, which could indicate that a cyber criminal is attempting to steal or has already stolen a user’s credentials.
In contrast, an Indicator of Compromise (IoC) refers to evidence of a cyber breach. Back to the bank robber example, an IoC might be a broken window or a hole in the wall where an ATM used to be. In cybersecurity terms, an example of IoC could be unusual privileged user behaviour, such as changing files or password information, etc. These signals indicate that a hacker has entered an enterprise system and is now altering data to avoid detection, stealing, or sabotaging networks.
Why monitoring IoAs and IoCs alone is not enough to defend against threats
IoAs and IoCs are extremely valuable to cybersecurity analysts, but each has limitations when defending against cybercrime.
For example, an IoC is labelled ‘static’ because it provides no clues about the hacker’s next moves or motivations. They are simply events that have happened. In contrast, IoAs reveal ‘why’ an attack is happening and give SOC teams information on how to fortify their defences and contain the unusual behaviour – provided they catch them in time.
In addition, IoCs can also be false alarms, as in, a privileged user may just be changing file or database information by mistake, and no malicious behaviour against the company is intended.
Examining IoAs alone is also not enough to protect a system; the clues they reveal may be a red herring to forensic investigators too. Moreover, if IoAs are not tracked in real-time, cybersecurity teams cannot stop the Cyber Kill Chain (CKC). The Cyber Kill Chain describes the various stages cyber criminals must complete for infiltration to succeed. Stopping or containing criminal activity as soon as possible is vital as attack methods are becoming faster and more sophisticated.
That’s why firms must invest in IoA and IoC monitoring to build the company’s overall threat intelligence and detection capabilities. Before criminals can invade systems, security teams must deploy technologies capable of proactively ‘hunting’ for IoA and IoC and closing loopholes (such as Zero-Day Exploits).
Azure Sentinel and XDR: Effective tools for cyber defense
SIEM stands for Security Information and Event Management. It is a tool that gathers, aggregates, and stores event data from any source (including IoA and IoC). It uses heuristics or behavioural techniques to perform rule-based pattern recognition for threat detection. However, problems arise with the sheer volume of alerts it generates, often overwhelming security professionals with false alarms.
XDR stands for Extended Detection and Response and represents the next generation of SIEM. It uses targeted attack detection and mitigation techniques such as profiling and user behaviour analysis to eliminate erroneous security alerts.
Microsoft Sentinel combines SIEM and XDR in one cost-effective package for organisations. Read this previous article to learn why MS Sentinel should be your first choice for a SIEM.
However, for your IoA and IoC threat detection capabilities to truly be optimised, investing in a managed SOC like Atech provides the much-needed human element to threat protection.
Our deep knowledge and years of experience as a managed IT security provider have enabled us to develop significant IP in the form of additional threat detection feeds. These additional automated signals (built from human expertise) can be layered on top of your Microsoft SIEM solution and tailored to suit the needs of any industry.
Improve your security posture with Atech’s workshops on Microsoft Sentinel SIEM Plus XDR technologies
Atech is an Azure Sentinel Security Specialist in automated Monitoring and Remediation technologies. We have gathered several Microsoft Security and Threat Protection Solutions Partner and MS Specialization qualifications. Find out more about these certificates here.
In light of this, we’ve developed a highly detailed and free one-to-one workshop service. It’s designed to teach C-Suite, and IT teams everything they need to know about improving their individual security posture in the intimidating modern threat environment. We create our own analytics rules around your data, enabling us to act fast and scale security measures in a dynamic way.
So, if you want to become proactive on threat detection and remediation, sign up for our ‘Defend against Threats workshop‘. It’s free for businesses that meet the funding criteria set by Microsoft. Get in touch with our team directly to check for eligibility today.