What’s the difference between IoA and IOC, and why is it crucial to incorporate them into a security strategy?


Courtesy of CrowdStrike
Artifacts that suggest a system has been breached. Patterns of behavior that indicate that an attack is in progress.
Based on known malicious activity. Based on the tactics, techniques, and procedures used by attackers.
Reactive Proactive, and can identify potential threats before an attack.
Always static, footprints don’t change over time. Mostly based on cybercriminal movements that are dynamic.

Indicators of Compromise (IoC):

IoCs are used after an attack has been contained, when the organization requires information about the location, nature, and methods of the incident.

  • They identify past activities suggesting a potential cyberattack.
  • They present evidence of previous intrusions or compromises.
  • They help shed light on what attackers were able to access after an intrusion.


Examples According to Kasperky:

  • Unusual DNS lookups,
  • Suspicious files, applications, and processes,
  • IP addresses and domains belonging to botnets or malware C&C servers,
  • A significant number of accesses to one file,
  • Suspicious activity on administrator or privileged user accounts,
  • An unexpected software update,
  • Data transfer over rarely used ports,
  • Behavior on a website that is atypical for a human being,
  • An attack signature or a file hash of a known piece of malware,
  • Unusual size of HTML responses,
  • Unauthorized modification of configuration files, registers, or device settings,
  • A large number of unsuccessful login attempts.

Indicators of Attack (IoA):

IoA focuses on attacks that are ongoing, active, and require an immediate response.

According to CrowdStrike: Indicators of attack (IOA) focus on detecting the intent of what an attacker is trying to accomplish, regardless of the malware or exploit used in an attack.

In a nutshell:

  • They provide real-time alerts.
  • They detect suspicious or malicious activity that is in progress.
  • They help security teams spot and understand ongoing attacks for immediate action.


Examples According to GBHackers on Security:

  • Internal hosts with bad destinations
  • Internal hosts with non-standard ports
  • Public Servers/DMZ to Internal hosts
  • Off-hour Malware Detection
  • Network scans by internal hosts
  • Multiple alarm events from a single host
  • The system is reinfected with malware
  • Multiple Login from different regions
  • Internal hosts use much SMTP
  • Internal hosts many queries to External/Internal DNS