Indicators of Attack

Tenable Identity Exposure Indicators of Attack (IoA) help your organization detect and take immediate action when the most advanced exploit techniques try to compromise your Active Directory (AD) infrastructures, including:

  • Top 3 incidents: A unified presentation of IoAs displays a real-time timeline along with the top three incidents that have affected your AD, as well as the distribution of attacks, all within a single interface.

  • Details on IoA: Within the Tenable Identity Exposure, the IoA panel provides information on attacks that have taken place within your AD.

  • Incidents Involving IoA: The list of IoA incidents offers comprehensive details regarding specific attacks targeting your AD. This information empowers you to respond appropriately based on the severity level of the IoA.

The Indicators of Attack feature comes with a range of features designed to boost your investigative capabilities:

  • Searchable and filterable: Effortlessly explore the IoA by utilizing the timeline, or apply filters based on forest, domain, and criticality level for efficient and targeted results.

  • Export Capability: Permits the export of IoA data in PDF, CSV, or PPTX formats.

  • Modify Chart Type: Provides the option to change the chart type, allowing you to display either the distribution of attack severity or the top three attacks along with their respective occurrence counts.

  • Action on IoA incidents: Allow you to select an incident to close or reopen.

Tenable Identity Exposure detects and assigns severity levels to attacks:

Level Description
Critical — Red Detected a proven post-exploitation attack that requires domain dominance as a prerequisite.
High — Orange Detected a major attack that allows an attacker to reach domain dominance.
Medium — Yellow The IoA is related to an attack that could lead to a dangerous escalation of privileges or allow access to sensitive resources.
Low — Blue Alerts to suspicious behaviors related to reconnaissance actions or low-impact incidents.

Recognize critical and high-impact IoAs that align with your specific security risks and concerns.

To mitigate the risk of false positives or the oversight of legitimate attacks, it is crucial to calibrate IoAs according to your environment. This entails :

  • Adjusting thresholds: Calibrate IoA sensitivity to reduce false positives, ensuring alerts are meaningful and actionable.

  • Whitelisting accounts and Activities: Exclude legitimate activities from triggering IoAs, enhancing alert accuracy and streamlining investigations.

  • Correlating IoAs: Analyze relationships between different IoAs to identify broader attack patterns.

Tip: Refer to the Tenable Identity Exposure Indicators of Attack Reference Guide (available at https://www.tenable.com/downloads/identity-exposure) for more details on options and recommended values. Apply these options and values to each IoA in the security profile.

  1. Upon the activation of an IoA, select "Indicators of Attack" from the navigation pane or click on the bell icon located at the top right of the home page.

  2. Each indicator will give you detailed information about the incident and allow you to take appropriate action after review:

    • When the attack happened

    • Description of the attack

    • Source of the attack

    • Target of the attack

    • MITRE ATT&CK® information

    • YARA detection rules

    • Additional resources

  1. Select "Details" to access the Description, as illustrated in this example, focusing on the Enumeration of Local Administrators.

  2. The Description tab provides information about specific attacks on your Active Directory (AD).

  3. The YARA Detection Rules tab provides information on the YARA rules employed by Tenable Identity Exposure for detecting Active Directory attacks at the network level, enhancing the overall detection capabilities of Tenable Identity Exposure.

  4. Collaborate with the Active Directory Administrator or the relevant stakeholder to examine and resolve the incident, deciding whether to close or reopen it, and implementing measures to prevent its recurrence.

  5. If this is a recognized or authorized attack, you have the option to customize the IoA accordingly, to prevent the IoA from flagging it in future instances.

See also