Cybersecurity is a constantly evolving field, with new threats emerging on a regular basis. Two important concepts in cybersecurity are Indicator of Attack (IOA) and Attack Surface Reduction (ASR). Understanding the difference between these two concepts can help organizations better protect their systems and networks from cyber threats.
An Indicator of Attack (IOA) is a signal or pattern that indicates a potential attack on a system or network. These indicators can include suspicious network activity, unusual system behavior, or other signs that an attack may be imminent or underway. Examples of IOAs include network traffic from a known malicious IP address, the presence of malware on a system, or a sudden increase in failed login attempts. IOAs are used by security professionals to detect, investigate, and respond to potential or active security incidents.
Attack Surface Reduction (ASR) refers to a set of security features and controls that are designed to reduce the attack surface of a system or network. Attack surface reduction can include a variety of measures such as disabling unnecessary services or protocols, restricting access to network resources, and implementing security controls such as firewalls and intrusion detection systems. By reducing the attack surface, organizations can make it more difficult for attackers to successfully compromise their systems and networks.
One example of an ASR solution is Windows Defender Attack Surface Reduction. It's a security feature built into Windows 10 that helps to reduce the attack surface of a device by blocking certain types of malicious behavior. To use ASR, you must have Windows 10 version 1803 or later, and have Windows Defender enabled. With ASR enabled, Windows will automatically block certain types of malicious behavior, such as fileless malware, script-based attacks, and other types of exploitation.
Another example is Elastic Defense, a security solution that uses AI and ML algorithms to analyze large amounts of data and identify potential IOAs. The solution is designed to detect and respond to cyber threats in real-time by analyzing network traffic, endpoint data, and other security-related information. One example of an Elastic Defense IOA is the detection of an abnormal increase in network traffic to a specific IP address.
CrowdStrike is a security software company that provides endpoint protection, threat intelligence, and incident response services. One of the key features of CrowdStrike's platform is its ability to detect and respond to IOAs in real-time. One example of a CrowdStrike IOA is the detection of malicious code injection. CrowdStrike's platform uses a combination of behavioral analysis and machine learning to detect when an attacker is trying to inject malicious code into a running process on a system.
What is the difference between Indicator of Attack (IOA) vs Attack Surface Reduction (ASR)?
Another example of an IOA related to process spoofing is the detection of a process that is attempting to impersonate a legitimate system process. This could be done by renaming a malicious executable file to match the name of a legitimate system process or by creating a new process with the same name. To detect this type of attack, security software such as endpoint protection solutions, use different techniques like behavioral analysis, memory scanning, or signature-based techniques to detect the malicious process.
Indicator of Attack (IOA) vs Attack Surface Reduction are two different vectors of security.
How to enable ASR GUID rules for Windows Defender?
Windows Defender ASR Rules vs GUID matrix
Below are list of all the GUID rules that help you configure ASR on you laptop with administrator privileges.
To check the current status on your laptop if you are using Windows Defender:
Show all GUID's on your system on PowerShell
PS > Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_ids
01443614-cd74-433a-b99e-2ecdc07bfc25
26190899-1602-49e8-8b27-eb1d0a1ce869
3B576869-A4EC-4529-8536-B80A7769E899
56a863a9-875e-4185-98a7-b882c64b5ce5
5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
c1db55ab-c21a-4637-bb3f-a12568109d35
d1e49aac-8f56-4280-b9ba-993a6d77406c
D3E037E1-3EB8-44C8-A917-57927947596D
D4F940AB-401B-4EFC-AADC-AD5F3C50688A
e6db77e5-3df2-4cf1-b95a-636979351e5b
PowerShell command to Block/Audit ASR rules using Windows Defender
1. Audit abuse of exploited vulnerable signed drivers
PS > Add-MpPreference -AttackSurfaceReductionRules_Ids 56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionRules_Actions Audit
2. Audit Adobe Reader from creating child processes
PS > Add-MpPreference -AttackSurfaceReductionRules_Ids 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c -AttackSurfaceReductionRules_Actions Audit
3. Audit all Office applications from creating child processes
PS > Add-MpPreference -AttackSurfaceReductionRules_Ids d4f940ab-401b-4efc-aadc-ad5f3c50688a -AttackSurfaceReductionRules_Actions Audit
4. Audit credential stealing from the Windows local security authority subsystem (lsass.exe)
PS > Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Audit
5. Audit executable content from email client and webmail
PS > Add-MpPreference -AttackSurfaceReductionRules_Ids be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 -AttackSurfaceReductionRules_Actions Audit
6. Audit executable files from running unless they meet a prevalence, age, or trusted list criterion
PS > Add-MpPreference -AttackSurfaceReductionRules_Ids 01443614-cd74-433a-b99e-2ecdc07bfc25 -AttackSurfaceReductionRules_Actions Audit
7. Audit execution of potentially obfuscated scripts
PS > Add-MpPreference -AttackSurfaceReductionRules_Ids 5beb7efe-fd9a-4556-801d-275e5ffc04cc -AttackSurfaceReductionRules_Actions Audit
8. Audit JavaScript or VBScript from launching downloaded executable content
PS > Add-MpPreference -AttackSurfaceReductionRules_Ids d3e037e1-3eb8-44c8-a917-57927947596d -AttackSurfaceReductionRules_Actions Audit
9. Audit Office applications from creating executable content
PS > Add-MpPreference -AttackSurfaceReductionRules_Ids 3b576869-a4ec-4529-8536-b80a7769e899 -AttackSurfaceReductionRules_Actions Audit
10. Audit Office applications from injecting code into other processes
PS > Add-MpPreference -AttackSurfaceReductionRules_Ids 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 -AttackSurfaceReductionRules_Actions Audit
11. Audit Office communication application from creating child processes
PS > Add-MpPreference -AttackSurfaceReductionRules_Ids 26190899-1602-49e8-8b27-eb1d0a1ce869 -AttackSurfaceReductionRules_Actions Audit
12. Audit persistence through WMI event subscription
* File and folder exclusions not supported.
PS > Add-MpPreference -AttackSurfaceReductionRules_Ids e6db77e5-3df2-4cf1-b95a-636979351e5b -AttackSurfaceReductionRules_Actions Audit
13. Audit process creations originating from PSExec and WMI commands
PS > Add-MpPreference -AttackSurfaceReductionRules_Ids d1e49aac-8f56-4280-b9ba-993a6d77406c -AttackSurfaceReductionRules_Actions Audit
14. Audit untrusted and unsigned processes that run from USB
PS > Add-MpPreference -AttackSurfaceReductionRules_Ids b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -AttackSurfaceReductionRules_Actions Audit
15. Audit Win32 API calls from Office macros
PS > Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions Audit
16. Audit: Use advanced protection against ransomware
PS > Add-MpPreference -AttackSurfaceReductionRules_Ids c1db55ab-c21a-4637-bb3f-a12568109d35 -AttackSurfaceReductionRules_Actions Audit
To enable blocking all the above GUID's in one PowerShell command
CMD> PowerShell.exe
PS > Add-MpPreference -AttackSurfaceReductionRules_Ids 56a863a9-875e-4185-98a7-b882c64b5ce5,c1db55ab-c21a-4637-bb3f-a12568109d35,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,d1e49aac-8f56-4280-b9ba-993a6d77406c,e6db77e5-3df2-4cf1-b95a-636979351e5b,26190899-1602-49e8-8b27-eb1d0a1ce869,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,3b576869-a4ec-4529-8536-b80a7769e899,d3e037e1-3eb8-44c8-a917-57927947596d,5beb7efe-fd9a-4556-801d-275e5ffc04cc,01443614-cd74-433a-b99e-2ecdc07bfc25,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,d4f940ab-401b-4efc-aadc-ad5f3c50688a,d4f940ab-401b-4efc-aadc-ad5f3c50688a,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c -AttackSurfaceReductionRules_Actions Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled
In summary, both ASR and IOA are important aspects of cybersecurity. ASR is a proactive security measure that aims to reduce the risk of successful attack by reducing the attack surface, while IOA is a reactive security measure that aims to detect and respond to security incident by identifying indicators of attack. Organizations can use a combination of these security measure to provide comprehensive protection against cyber threats.
Comments