Back to glossary

Indicators of Attack

Evidence of an attacker's intent and the techniques they are using in real-time, focusing on the 'how' rather than the 'what'.

AbbreviationIoA
Categorysecurity

Overview

Indicators of Attack (IoAs) focus on the proactive detection of an attacker's behavior and intent while an attack is in progress. Unlike IoCs, which look for artifacts left behind (the 'what'), IoAs look for the actions being taken (the 'how').

Key Differences from IoCs

  • Proactive vs. Reactive: IoAs detect attacks in progress; IoCs detect breaches that have already happened.
  • Behavioral vs. Artifact-based: IoAs focus on tactics like lateral movement or credential harvesting; IoCs focus on file hashes or IP addresses.

Examples of IoAs

  • Lateral Movement: An account suddenly accessing multiple servers it doesn't normally use.
  • Credential Harvesting: Multiple failed login attempts followed by a successful one from an unusual location.
  • Execution of PowerShell Scripts: Running obfuscated scripts that attempt to disable security software.

Related Terms

Indicators of CompromiseCyber Threat HuntingAdvanced Persistent Threat