Indicator of Compromise (IoC) vs. Indicator of Attack (IoA)
What’s the difference between an indicator of compromise (IoC) and an indicator of attack (IoA)?
First, what are indicators? Indicators are evidence related to security incidents. They can be hashes, domain names, IP addresses, URLs, malware signatures, registry keys, filenames, processes, services, network traffic, activity from unusual geographic locations, unrecognized software, unusual activity, unusual registry or file changes, high database read activity, high number of failed login attempts, suspicious configuration changes, and unusual DNS queries.
An indicator of compromise (IoC or IOC) is evidence of a past security incident; evidence that a system or network may have suffered unauthorized access by malware or a human. IoCs are used by DFIR, CTI, and other defenders to study past attacks.
An indicator of attack (IoA or IOA) is evidence of a current, active security incident; evidence that a system or network may be currently being accessed without authorization by malware or a human. IoAs are used by IDSs, IPSs, NGFWs, anti-malware, and other detection hardware and software to alert on and potentially stop active attacks.
So, the difference between an IoC and an IoA is that an IoC is historical, looking at a past attack, whereas an IoA is current, looking at an attack in process.
What are Indicators of Compromise? IOC Explained | CrowdStrike
An Indicator of Compromise (IOC) is a piece of digital forensics that suggests that an endpoint or network may have…
What Are Indicators of Compromise (IoC) | Proofpoint US
During a cybersecurity incident, indicators of compromise (IoC) are clues and evidence of a data breach. These digital…
Indicators of Compromise
I am sure that every one of you has heard of IoCs, or Indicators of Compromise. They are the forensics that security…