Indicators of Attack (IoA) refer to observable behaviors or artifacts that suggest a security breach or ongoing attack.

When internal hosts communicate with countries outside the business range, it may indicate data exfiltration or command-and-control communication to an external threat actor.

Unlike Indicators of Compromise (IoC) which indicate that a system has already been compromised, IoAs are often used to identify malicious activity in its early stages.

Monitoring for unusual outbound connections is a crucial aspect of detecting advanced persistent threats (APTs) and other sophisticated attacks.

References

Difference Between Indicators of Compromise and Indicators of Attack

Cyber Threat Detection Using Indicators of Attack

Network Monitoring for Anomalous Behavior

A man-in-the-middle (MITM) attack occurs when an attacker secretly intercepts and possibly alters the communication between two parties who believe they are directly communicating with each other. In this scenario, an attacker can observe network traffic exchanged between two users by placing themselves in between their communication channel. References := Cisco Blogs - New Cybersecurity and Cloud Skills to Protect Companies from Cybersecurity Attacks of the Future

When analyzing Wireshark traffic for potential attacks, an engineer should look for patterns that indicate abnormal behavior, such as:

Excessive Requests: A high number of requests over a short period could suggest an attempt to overwhelm the server, known as an HTTP flood.

Status Codes: Repeated 403 Forbidden responses may indicate that the server is rejecting requests due to a security rule being triggered.

Request Types: A mix of GET and POST requests could be used in various attack scenarios, including bandwidth flooding or cache bypassing.

The principle of least privilege states that users and processes should be granted only the minimum permissions necessary to perform their specific role or function within an organization. This reduces the attack surface and limits the potential damage of a compromised account or process. References:

Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) v1.0, Module 1: Security Concepts, Lesson 1.2: Security Principles

Cisco Certified CyberOps Associate Overview, Exam Topics, 1.1 Explain the CIA triad

 The alert from the Cisco ASA device and the numerous activity logs are examples of circumstantial evidence. Circumstantial evidence is evidence that relies on an inference or deduction to connect it to a conclusion of fact, such as a security incident or an attack. Circumstantial evidence does not directly prove the fact in question, but rather suggests or implies it. In this case, the alert and the logs indicate that a TCP connection attempt was denied by an access group, but they do not directly prove that an attack occurred or who was behind it. There could be other explanations for the denied connection, such as a misconfiguration, a network error, or a legitimate request. Therefore, this type of evidence is circumstantial and requires further investigation and analysis to confirm or rule out the possibility of an attack. References := Circumstantial evidence - Wikipedia; Circumstantial Evidence - Definition, Examples, Cases, Processes; Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) - Cisco, page 92.