Indicators of Attack (IOA)
Indicators of Compromise (IOC)

What are IOAs and IOCs?

Anomalous behavior - whether that be related to humans or machines - can be a hint that an organization has been and/or currently is being targeted for attack. Similarly, anomalous objects such as an unexpected file or process can be another hint. Other clues include unexplained configuration changes and unusual patterns of network traffic.

The cybersecurity industry refers to these as Indicators of Attack (lOA's) and Indicators of Compromise (lOC's).

An Indicator of Attack is a clue that a malicious entity has gained, or is attempting to gain, unauthorised access to the network or assets connected to the network. It may be precursor activity prior to an attack being launched - and may even include human engineering to gather intelligence.

An Indicator of Compromise is a clue that a malicious entity has successfully gained access to the organization's network and/or systems and may additionally have exfiltrated data or otherwise succeeded in doing damage to the organization. In practice however, the term lOC is often used to encompass both lOC and lOA.

Threat Hunting Resources on