Indicator of Compromise (IoC) vs. Indicator of Attack (IoA)
What’s the difference between an indicator of compromise (IoC) and an indicator of attack (IoA)?
First, what are indicators? Indicators are evidence related to security incidents. They can be hashes, domain names, IP addresses, URLs, malware signatures, registry keys, filenames, processes, services, network traffic, activity from unusual geographic locations, unrecognized software, unusual activity, unusual registry or file changes, high database read activity, high number of failed login attempts, suspicious configuration changes, and unusual DNS queries.
An indicator of compromise (IoC or IOC) is evidence of a past security incident; evidence that a system or network may have suffered unauthorized access by malware or a human. IoCs are used by DFIR, IR, CTI, threat hunters, and other defenders to study attacks.
An indicator of attack (IoA or IOA) is evidence of a current, active security incident; evidence that a system or network may be currently being accessed without authorization by malware or a human. IoAs are used by IDSs, IPSs, NGFWs, anti-malware, and other detection hardware and software to alert on and potentially stop active attacks.
So, the difference between an IoC and an IoA is that an IoC is historical, looking at a past attack, whereas an IoA is current, looking at an attack in process.
