top of page

Indicator of Attack (IOA) vs Attack Surface Reduction (ASR) #cybersecurity

Cybersecurity is a constantly evolving field, with new threats emerging on a regular basis. Two important concepts in cybersecurity are Indicator of Attack (IOA) and Attack Surface Reduction (ASR). Understanding the difference between these two concepts can help organizations better protect their systems and networks from cyber threats.

Indicator of Attack (IOA)
Attack Surface Reduction (ASR)
ASR on Elastic
ASR on CrowdStrike
Steps to Implement ASR on Windows Defender

Cynor Sense attack Surface Reduction tips
What's an ASR ? What's an IOA?

An Indicator of Attack (IOA) is a signal or pattern that indicates a potential attack on a system or network. These indicators can include suspicious network activity, unusual system behavior, or other signs that an attack may be imminent or underway. Examples of IOAs include network traffic from a known malicious IP address, the presence of malware on a system, or a sudden increase in failed login attempts. IOAs are used by security professionals to detect, investigate, and respond to potential or active security incidents.

Attack Surface Reduction (ASR) refers to a set of security features and controls that are designed to reduce the attack surface of a system or network. Attack surface reduction can include a variety of measures such as disabling unnecessary services or protocols, restricting access to network resources, and implementing security controls such as firewalls and intrusion detection systems. By reducing the attack surface, organizations can make it more difficult for attackers to successfully compromise their systems and networks.

One example of an ASR solution is Windows Defender Attack Surface Reduction. It's a security feature built into Windows 10 that helps to reduce the attack surface of a device by blocking certain types of malicious behavior. To use ASR, you must have Windows 10 version 1803 or later, and have Windows Defender enabled. With ASR enabled, Windows will automatically block certain types of malicious behavior, such as fileless malware, script-based attacks, and other types of exploitation.

Another example is Elastic Defense, a security solution that uses AI and ML algorithms to analyze large amounts of data and identify potential IOAs. The solution is designed to detect and respond to cyber threats in real-time by analyzing network traffic, endpoint data, and other security-related information. One example of an Elastic Defense IOA is the detection of an abnormal increase in network traffic to a specific IP address.

You cab watch a video here

CrowdStrike is a security software company that provides endpoint protection, threat intelligence, and incident response services. One of the key features of CrowdStrike's platform is its ability to detect and respond to IOAs in real-time. One example of a CrowdStrike IOA is the detection of malicious code injection. CrowdStrike's platform uses a combination of behavioral analysis and machine learning to detect when an attacker is trying to inject malicious code into a running process on a system.

Another example of an IOA related to process spoofing is the detection of a process that is attempting to impersonate a legitimate system process. This could be done by renaming a malicious executable file to match the name of a legitimate system process or by creating a new process with the same name. To detect this type of attack, security software such as endpoint protection solutions, use different techniques like behavioral analysis, memory scanning, or signature-based techniques to detect the malicious process.

How to enable ASR using Windows Defender?

Windows Defender ASR Rules vs GUID matrix

Below are list of all the GUID rules that help you configure ASR on you laptop with administrator privileges.

To check the current status on your laptop if you are using Windows Defender:

Show all GUID's on your system on PowerShell

PS > Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_ids


PowerShell command to Block/Audit ASR rules using Windows Defender 

1. Audit abuse of exploited vulnerable signed drivers
PS > Add-MpPreference -AttackSurfaceReductionRules_Ids 56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionRules_Actions Audit

2. Audit Adobe Reader from creating child processes
PS > Add-MpPreference -AttackSurfaceReductionRules_Ids 7674ba52-37eb-