ELI5: What are Indicators of Attack?
While clues left behind (like footprints) tell you a burglar already came, indicators of attack are like hearing someone jiggle the doorknob right now. They catch bad behavior as it happens.
Definition
Indicators of Attack (IoAs) are behavioral signals that suggest an attack is actively occurring, distinct from Indicators of Compromise (IoCs) which typically indicate an attack has already occurred. IoAs focus on attacker behaviors and techniques (TTPs) rather than specific artifacts—enabling detection even when attackers use novel malware or previously unseen tools. IoAs are central to behavioral-based threat detection.
Key Details
- IoC vs. IoA: IoCs are retrospective (evidence of past compromise); IoAs are proactive (signs of ongoing attack).
- Examples of IoAs: lateral movement between systems, privilege escalation attempts, unusual process spawning chains, credential dumping behavior.
- IoAs are associated with the MITRE ATT&CK framework—a knowledge base of adversary TTPs.
- Detection relies on behavioral analytics rather than static signature matching.
- IoAs remain valid even when attackers change their malware—the behavior (e.g., dumping LSASS) stays the same.
Connections
- Parent: indicators-of-compromise — IoAs are a proactive extension of IoC-based detection
- See also: behavioral-indicators