Indicators of Compromise (IOCs) and Indicators of Attack (IOAs)
Indicators of Compromise (IOCs)
Definition
IOCs are forensic evidence that indicates a system has already been compromised.
They are artefacts left behind after or during a breach.
Examples of IOCs
Common types include:
- Malicious IP addresses
- Suspicious domains or URLs
- File hashes (MD5, SHA-256)
- Known malware signatures
- Unexpected processes or services
- Unauthorized registry changes
- Presence of specific files or payloads
- Unusual outbound network traffic
- New or modified admin accounts
What IOCs Tell You
They answer the question:
“Did an intrusion occur?”
They are vital for:
- Incident response
- Threat hunting
- Malware detection
- Blocking known bad artifacts
Indicators of Attack (IOAs)
Definition
IOAs represent adversary actions, behaviors, and patterns, focusing on how the attack is unfolding, not just the artifacts left behind.
They detect the intent and behavior of an attacker—even if no known IOCs are involved.
Examples of IOAs
Behavioral patterns such as:
- Repeated failed login attempts → brute force
- Execution of PowerShell with suspicious parameters
- Lateral movement attempts (Pass-the-Hash, SMB enumeration)
- Privilege escalation activity
- Use of LOLBins (Living Off the Land binaries)
e.g.,wmic,certutil,mshta,rundll32 - Unexpected outbound connections to rare foreign IPs
- Suspicious fileless activity (memory-only malware)
- Parent-child process anomalies
(e.g., Word spawning PowerShell → likely macro attack)
What IOAs Tell You
They answer:
“Is an intrusion in progress?”
IOAs help detect:
- Zero-day attacks
- Fileless malware
- Novel or custom malware
- Early-stage attack activity
IOC vs IOA: What’s the Difference?
| Feature | IOC | IOA |
|---|---|---|
| Focus | Evidence of compromise | Behavior/intent of attacker |
| Timing | After/during an attack | Before/during an attack |
| Detection | Signature-based | Behavior-based |
| Usefulness | Good for confirming incidents | Good for early detection/prevention |
| Covers Zero-Day Attacks | ❌ Often no | ✅ Yes |
| Stability | May become obsolete quickly | More resilient over time |
How They Work Together
A mature security program uses both:
- IOCs → Identify what the attacker used or left behind
- IOAs → Identify how the attacker is acting or attempting to compromise systems
Combo Example:
- A suspicious process (
wmic) running → IOA - File hash of known malware detected → IOC
Together they confirm malware execution and allow faster detection, containment, and remediation.
Summary
IOCs = Evidence something bad has happened
IOAs = Evidence something bad is happening or will happen
Using both improves:
- Threat detection
- Incident response
- Threat hunting
- SOC efficiency
- Defence against advanced and novel attacks
Copyright © 2026 | WordPress Theme by MH Themes
Be the first to comment