What is an Indicator of Attack?

An Indicator of Attack (IOA) is a crucial cybersecurity concept that helps in identifying the clear intent of a cyberattacker. Unlike an Indicator of Compromise (IOC), which serves as a basic sign of malicious software, an IOA provides a more accurate, high-quality detection with reduced false positives. The IOA's focus is not just on the tools or methods employed by the adversary, but specifically on their motive to conduct an attack. This approach, supported by the NETSCOUT Arbor ASERT team, helps identify the malicious intent and the persistent efforts made by proven attackers, often described as 'Campaigns'. Thus, IOAs are considered high-fidelity indicators, proficient in recognizing genuine threats and setting them apart from mere indicators.

An Indicator of Compromise (or IOC) is found normally in the context of a threat feed as an item shared that might lead to discovery of an exploit or malware. An IOC is the result of research by third parties or investigators who are observing and documenting rogue behavior of attackers and malware. IOCs typically produce high false positives (i.e. alarms that aren’t real). Related terms include IOA (q.v.) and Tactics, Techniques and Practices" (TTP).

Controversy: IOA as a term was coined recently by Counterstrike (a Threat Intelligence provider) and as such is not as well-known as IO, may change definition readily and may lead to some confusion among vendors who try to co-opt the term (as Arbor has done).