Indicators of Attack (IOAs)

Applies To: WatchGuard Advanced EPDR, WatchGuard EPDR, WatchGuard EDR

WatchGuard Threat Hunting Services are a set of specialized technologies and human resources that detect lateral movements and other early indicators of malware activity before the malware takes action.

Threat Hunting Services enable network administrators to quickly detect compromised devices, early-stage attacks, and suspicious activities. Specifically, Threat Hunting Services help detect:

  • Malwareless and remote desktop (RDP) attacks.
  • Computers already compromised.
  • Hackers and malicious employees.

On the Indicators of Attack (IOA) dashboard in WatchGuard Advanced EPDR, EPDR, and EDR, network administrators can see information related to detections by Threat Hunting Services, such as Indicators of Attack, advanced investigations, attack graph views, and MITRE tactics and techniques.

Indicators of Attack (IOA) are confirmed events that are highly likely to be an attack. The WatchGuard Security team reviews events received from endpoints to confirm they match a specified attack hypothesis.

We strongly recommend you contain the IOA and remediate affected endpoints as soon as possible.

Multiple Detections

To prevent too many detections in the management UI, Endpoint Security groups two or more equal IOAs into one detection.

To group two or more equal IOAs, they must be:

  • The same type.
  • Detected on the same computer.
  • Detected close to each other in time.

The number of actual occurrences shows in the Detected Occurrences field of the IOA details page. For more information, go to Indicator of Attack Details.

How the IOAs are grouped depends on the type of IOA and whether the computer is in Audit mode. For information about Audit mode, go to Configure Audit Mode.

Standard IOA (Audit mode disabled)

Endpoint Security logs the first IOA and sets the Detected Occurrences field to 1. Equal IOAs detected in the six hours after the first IOA was logged are grouped together. Endpoint Security sends an IOA detection at the end of each six-hour interval. (The Detected Occurrences field indicates the total number of IOAs detected.)

If Endpoint Security does not log an equal IOA within a six-hour interval, then it does not send an IOA detection for the interval. After four intervals (24 hours), the process starts again.

Advanced IOA (Audit mode disabled)

Endpoint Security logs the first IOA and sets the Detected Occurrences field to 1. Equal IOAs detected every hour after the first IOA was logged are grouped together. Endpoint Security sends an IOA at the end of each 1-hour interval. (The Detected Occurrences field indicates the total number of IOAs detected.)

If no equal IOAs are logged within a 1-hour interval, no IOA is sent for the interval. If Endpoint Security does not log an equal IOA within the hour interval, then it does not send an IOA detection for the interval. After 24 hours, the process starts again.

Advanced IOA (Audit mode enabled)

Advanced IOAs are not grouped if the computer is in Audit mode. Endpoint Security sends a detection for each IOA detected on a computer in Audit mode. (The Detected Occurrences field is set to 1.)

MITRE ATT&CK Matrix

The MITRE Corporation is a not-for-profit company that operates federally-funded Research and Development centers to address security issues. It offers practical solutions in the fields of defense and intelligence, aviation, civil systems, national security, judiciary, health, and cybersecurity.

Screen shot of Mitre Attack website

ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a set of resources developed by the MITRE Corporation to describe and categorize cybercriminal activities based on observations from around the world. ATT&CK is a structured list of known attack behaviors categorized into tactics and techniques and shown as a matrix.

Technique (How)

In ATT&CK terminology, techniques and sub-techniques represent the method (or the strategy) that an adversary uses to achieve a tactical objective. For example, to access credentials (tactic), an adversary executes a data dump (technique).

Tactic (Why)

In ATT&CK terminology, tactics represent the ultimate motive or goal of a technique. It is the tactical objective of the adversary: the reason to take an action.

The MITRE ATT&CK matrix is a useful resource to develop defensive, preventive, and remedial strategies for organizations. For more information about the ATT&CK matrix, go to https://attack.mitre.org/.

Related Topics

Indicators of Attack Dashboard