IoC vs. IoA
What’s the difference between IoA and IOC, and why is it crucial to incorporate them into a security strategy?
TL;DR
| Courtesy of CrowdStrike |
| IoC | IoA |
|---|---|
| Artifacts that suggest a system has been breached. | Patterns of behavior that indicate that an attack is in progress. |
| Based on known malicious activity. | Based on the tactics, techniques, and procedures used by attackers. |
| Reactive | Proactive, and can identify potential threats before an attack. |
| Always static, footprints don’t change over time. | Mostly based on cybercriminal movements that are dynamic. |
Indicators of Compromise (IoC):
IoCs are used after an attack has been contained, when the organization requires information about the location, nature, and methods of the incident.
- They identify past activities suggesting a potential cyberattack.
- They present evidence of previous intrusions or compromises.
- They help shed light on what attackers were able to access after an intrusion.
Examples According to Kasperky:
- Unusual DNS lookups,
- Suspicious files, applications, and processes,
- IP addresses and domains belonging to botnets or malware C&C servers,
- A significant number of accesses to one file,
- Suspicious activity on administrator or privileged user accounts,
- An unexpected software update,
- Data transfer over rarely used ports,
- Behavior on a website that is atypical for a human being,
- An attack signature or a file hash of a known piece of malware,
- Unusual size of HTML responses,
- Unauthorized modification of configuration files, registers, or device settings,
- A large number of unsuccessful login attempts.
Indicators of Attack (IoA):
IoA focuses on attacks that are ongoing, active, and require an immediate response.
According to CrowdStrike: Indicators of attack (IOA) focus on detecting the intent of what an attacker is trying to accomplish, regardless of the malware or exploit used in an attack.
In a nutshell:
- They provide real-time alerts.
- They detect suspicious or malicious activity that is in progress.
- They help security teams spot and understand ongoing attacks for immediate action.
Examples According to GBHackers on Security:
- Internal hosts with bad destinations
- Internal hosts with non-standard ports
- Public Servers/DMZ to Internal hosts
- Off-hour Malware Detection
- Network scans by internal hosts
- Multiple alarm events from a single host
- The system is reinfected with malware
- Multiple Login from different regions
- Internal hosts use much SMTP
- Internal hosts many queries to External/Internal DNS