What is an Indicator of Attack?

An Indicator of Attack (IOA) is differentiated from an Indicator of Compromise (q.v.) by quality and a lower incidence of false positives. It can be thought of as a higher quality indicator of a true attack. ASERT differentiates IOAs from IOCs on the basis of quality and insight. IOCs are mere indicators of malicious software, while IOAs from the Arbor perspective are high fidelity and help identify malice and intent in the form of Campaigns (i.e. directed, persistent efforts by a proven Attackers).

An Indicator of Compromise (or IOC) is found normally in the context of a threat feed as an item shared that might lead to discovery of an exploit or malware. An IOC is the result of research by third parties or investigators who are observing and documenting rogue behavior of attackers and malware. IOCs typically produce high false positives (i.e. alarms that aren’t real). Related terms include IOA (q.v.) and Tactics, Techniques and Practices" (TTP).

Controversy: IOA as a term was coined recently by Counterstrike (a Threat Intelligence provider) and as such is not as well-known as IO, may change definition readily and may lead to some confusion among vendors who try to co-opt the term (as Arbor has done).