What's the difference between Signals, Transactions, and Indicators?

Clarifying on some vague terminology

What's the difference between Signals, Transactions, and Indicators?
Photo by Ashim D’Silva / Unsplash
💡
This is part of an on-going series in cybersecurity foundations. Check the cyber 101 article tag index from time to time for more content.

It's common for cybersecurity marketing material to reference absolutely MASSIVE statistics. Sometimes though, the terms can blur together. In today's article, I want to take a moment to differentiate between three related terms: Signals, Transactions, and Indicators.

  • Signal - This is an individual data point (typically in a very raw or basic form). It could be virtually ANYthing. In geeky engineering speak, we can think of it as being physical or interrupt-based. Common examples include:
    • A single log event
    • A network packet
    • A device being connected/disconnected
    • The beginning of a query/operation (before any results or response comes back)
  • Transaction - This encompasses more of a complete activity or action. It could be a collection of multiple steps that need to happen for the transaction to be considered successful. We can think of it as being atomic and purposeful in nature. It has a clearly defined beginning and end. Examples of transactions include:
    • Visiting a web page
    • Uploading a file
    • Receiving an email
  • Indicator - This is basically a piece of data that provides meaning, interest, or significance to a signal (or group of signals). The idea here is that SOMEthing about the signal warrants attention. Examples of indicators include:
    • Network packets sent to (or from) known malicious IP addresses
    • An unusual/unexpected protocol request
    • A normal action happening at an unusual time of day (e.g. Bob's laptop trying to connect to corporate resources at 3 AM in the morning).

For more information, check out the following resources:

indicator - Glossary | CSRC
Chapter 10 - Indicator of Attack
Discover how Indicators of Attack (IoAs) can help detect and prevent cyberattacks in real-time. Learn about their proactive nature and their role in identifying and disrupting advanced threats.
Signal - Wikipedia