top of page
Cynorsense Logo

Indicator of Attack (IOA) vs Attack Surface Reduction (ASR) #cybersecurity

Updated: Nov 28

Cybersecurity is a constantly evolving field, with new threats emerging on a regular basis. Two important concepts in cybersecurity are Indicator of Attack (IOA) and Attack Surface Reduction (ASR). Understanding the difference between these two concepts can help organizations better protect their systems and networks from cyber threats.

Indicator of Attack (IOA)

Attack Surface Reduction (ASR)

ASR on Elastic

ASR on CrowdStrike

Steps to Implement ASR on Windows Defender

Cynor Sense attack Surface Reduction tips
What's an ASR ? What's an IOA?

An Indicator of Attack (IOA) is a signal or pattern that indicates a potential attack on a system or network. These indicators can include suspicious network activity, unusual system behavior, or other signs that an attack may be imminent or underway. Examples of IOAs include network traffic from a known malicious IP address, the presence of malware on a system, or a sudden increase in failed login attempts. IOAs are used by security professionals to detect, investigate, and respond to potential or active security incidents.

Attack Surface Reduction (ASR) refers to a set of security features and controls that are designed to reduce the attack surface of a system or network. Attack surface reduction can include a variety of measures such as disabling unnecessary services or protocols, restricting access to network resources, and implementing security controls such as firewalls and intrusion detection systems. By reducing the attack surface, organizations can make it more difficult for attackers to successfully compromise their systems and networks.

One example of an ASR solution is Windows Defender Attack Surface Reduction. It's a security feature built into Windows 10 that helps to reduce the attack surface of a device by blocking certain types of malicious behavior. To use ASR, you must have Windows 10 version 1803 or later, and have Windows Defender enabled. With ASR enabled, Windows will automatically block certain types of malicious behavior, such as fileless malware, script-based attacks, and other types of exploitation.

Another example is Elastic Defense, a security solution that uses AI and ML algorithms to analyze large amounts of data and identify potential IOAs. The solution is designed to detect and respond to cyber threats in real-time by analyzing network traffic, endpoint data, and other security-related information. One example of an Elastic Defense IOA is the detection of an abnormal increase in network traffic to a specific IP address.

Elastic Security
Elastic Attack Surface Reduction

CrowdStrike is a security software company that provides endpoint protection, threat intelligence, and incident response services. One of the key features of CrowdStrike's platform is its ability to detect and respond to IOAs in real-time. One example of a CrowdStrike IOA is the detection of malicious code injection. CrowdStrike's platform uses a combination of behavioral analysis and machine learning to detect when an attacker is trying to inject malicious code into a running process on a system.

What is the difference between Indicator of Attack (IOA) vs Attack Surface Reduction (ASR)?

Another example of an IOA related to process spoofing is the detection of a process that is attempting to impersonate a legitimate system process. This could be done by renaming a malicious executable file to match the name of a legitimate system process or by creating a new process with the same name. To detect this type of attack, security software such as endpoint protection solutions, use different techniques like behavioral analysis, memory scanning, or signature-based techniques to detect the malicious process.

Indicator of Attack (IOA) vs Attack Surface Reduction are two different vectors of security.

How to enable ASR GUID rules for Windows Defender?

Windows Defender ASR Rules vs GUID matrix

Below are list of all the GUID rules that help you configure ASR on you laptop with administrator privileges.

GUID of Windows ASR
GUID of Windows ASR

To check the current status on your laptop if you are using Windows Defender:

Show all GUID's on your system on PowerShell

PS > Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_ids


PowerShell command to Block/Audit ASR rules using Windows Defender 

1. Audit abuse of exploited vulnerable signed drivers
PS > Add-MpPreference -AttackSurfaceReductionRules_Ids 56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionRules_Actions Audit

2. Audit Adobe Reader from creating child processes
PS > Add-MpPreference -AttackSurfaceReductionRules_Ids 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c -AttackSurfaceReductionRules_Actions Audit

3. Audit all Office applications from creating child processes
PS > Add-MpPreference -AttackSurfaceReductionRules_Ids d4f940ab-401b-4efc-aadc-ad5f3c50688a -AttackSurfaceReductionRules_Actions Audit

4. Audit credential stealing from the Windows local security authority subsystem (lsass.exe)
PS > Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Audit

5. Audit executable content from email client and webmail
PS > Add-MpPreference -AttackSurfaceReductionRules_Ids be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 -AttackSurfaceReductionRules_Actions Audit

6. Audit executable files from running unless they meet a prevalence, age, or trusted list   criterion
PS > Add-MpPreference -AttackSurfaceReductionRules_Ids 01443614-cd74-433a-b99e-2ecdc07bfc25 -AttackSurfaceReductionRules_Actions Audit

7. Audit execution of potentially obfuscated scripts
PS > Add-MpPreference -AttackSurfaceReductionRules_Ids 5beb7efe-fd9a-4556-801d-275e5ffc04cc -AttackSurfaceReductionRules_Actions Audit

8. Audit JavaScript or VBScript from launching downloaded executable content
PS > Add-MpPreference -AttackSurfaceReductionRules_Ids d3e037e1-3eb8-44c8-a917-57927947596d -AttackSurfaceReductionRules_Actions Audit

9. Audit Office applications from creating executable content
PS > Add-MpPreference -AttackSurfaceReductionRules_Ids 3b576869-a4ec-4529-8536-b80a7769e899 -AttackSurfaceReductionRules_Actions Audit

10. Audit Office applications from injecting code into other processes
PS > Add-MpPreference -AttackSurfaceReductionRules_Ids 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 -AttackSurfaceReductionRules_Actions Audit

11. Audit Office communication application from creating child processes
PS > Add-MpPreference -AttackSurfaceReductionRules_Ids 26190899-1602-49e8-8b27-eb1d0a1ce869 -AttackSurfaceReductionRules_Actions Audit

12. Audit persistence through WMI event subscription 
    * File and folder exclusions not supported.
PS > Add-MpPreference -AttackSurfaceReductionRules_Ids e6db77e5-3df2-4cf1-b95a-636979351e5b -AttackSurfaceReductionRules_Actions Audit

13. Audit process creations originating from PSExec and WMI commands
PS > Add-MpPreference -AttackSurfaceReductionRules_Ids d1e49aac-8f56-4280-b9ba-993a6d77406c -AttackSurfaceReductionRules_Actions Audit

14. Audit untrusted and unsigned processes that run from USB
PS > Add-MpPreference -AttackSurfaceReductionRules_Ids b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -AttackSurfaceReductionRules_Actions Audit

15. Audit Win32 API calls from Office macros
PS > Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions Audit

16. Audit: Use advanced protection against ransomware
PS > Add-MpPreference -AttackSurfaceReductionRules_Ids c1db55ab-c21a-4637-bb3f-a12568109d35 -AttackSurfaceReductionRules_Actions Audit

To enable blocking all the above GUID's in one PowerShell command

CMD> PowerShell.exe
PS > Add-MpPreference -AttackSurfaceReductionRules_Ids 56a863a9-875e-4185-98a7-b882c64b5ce5,c1db55ab-c21a-4637-bb3f-a12568109d35,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,d1e49aac-8f56-4280-b9ba-993a6d77406c,e6db77e5-3df2-4cf1-b95a-636979351e5b,26190899-1602-49e8-8b27-eb1d0a1ce869,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,3b576869-a4ec-4529-8536-b80a7769e899,d3e037e1-3eb8-44c8-a917-57927947596d,5beb7efe-fd9a-4556-801d-275e5ffc04cc,01443614-cd74-433a-b99e-2ecdc07bfc25,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,d4f940ab-401b-4efc-aadc-ad5f3c50688a,d4f940ab-401b-4efc-aadc-ad5f3c50688a,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c -AttackSurfaceReductionRules_Actions Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled

Windows ASR
Steps to reduce Attack Surface on Windows

In summary, both ASR and IOA are important aspects of cybersecurity. ASR is a proactive security measure that aims to reduce the risk of successful attack by reducing the attack surface, while IOA is a reactive security measure that aims to detect and respond to security incident by identifying indicators of attack. Organizations can use a combination of these security measure to provide comprehensive protection against cyber threats.

75 views0 comments

Recent Posts

See All
bottom of page