Indicators of Attack (IOA)
What is Indicators of Attack (IOA)?
Indicators of Attack, or IOAs, are observable signs of suspicious behavior or attack activity that suggest an adversary may be attempting or actively carrying out malicious actions, often before a full compromise is confirmed.
Examples
- A workstation begins launching unusual command-line tools and spawning suspicious child processes in a pattern associated with attacker activity.
- A user account starts authenticating to systems it does not normally access and then attempts privilege escalation shortly afterward.
Discover 🔎
Attackers do not always leave obvious evidence straight away. There may be no known malware hash, no confirmed malicious file, and no clear sign that a system has already been fully compromised. Even so, their behavior can still give them away.
That is where indicators of attack become valuable. Instead of focusing mainly on what the attacker has left behind, IOAs focus on what the attacker appears to be doing. The sign is often behavioral rather than artifact-based. This makes IOAs especially useful for spotting malicious activity while it is unfolding or before the full impact becomes visible.
Summary 📝
Indicators of Attack are behavior-based signs that suggest malicious activity is being attempted or actively carried out. They differ from IOCs by focusing more on attacker methods and suspicious action patterns than on fixed artifacts left behind. Their strength lies in helping defenders detect and respond to attacks earlier, even when the exact malware, domain, or tool is not yet known.
Tip: The interactive version includes progress tracking, decks, and premium deep dives.