® 
IOA (Indicators of Attack)
Definition
Indicators of Attack (IOA) are behavioral indicators signaling an attack in progress — unlike IOCs which detect attacks after the fact. IOAs enable security teams to stop attacks earlier.
Indicators of Attack (IOA) are behavioural indicators signaling an attack in progress, unlike IOCs which detect attacks after the fact. IOAs enable security teams to stop attacks earlier, often before damage occurs. CrowdStrike introduced the concept as the basis for proactive threat detection.
How do IOAs work?
IOCs are reactive: they search for known artefacts such as malware hashes and suspicious IP addresses. IOAs are proactive: they recognise attack behaviour regardless of specific malware or tools. An IOA describes not what the attacker uses but what the attacker does. Examples: PowerShell launched by a Word document (macro attack), user login at unusual time from unknown location, process attempting kernel privilege escalation, admin tool connecting to hundreds of systems rapidly (lateral movement), large data volumes sent to external IP (exfiltration).
IOA versus IOC
IOCs detect known threats with known hashes. New malware with unknown hashes passes undetected. IOAs detect the behaviour every attacker exhibits regardless of tools. An attacker can compile new malware daily, but fundamental attack behaviour remains recognisable. A mature security operation combines both.
Impact on organisations
IOA-based detection is the core of modern EDR and XDR platforms. Organisations relying only on IOCs miss advanced attacks using custom malware and LotL techniques. NIS2 requires adequate detection capabilities beyond signature-based detection.
Protection
Implement EDR/XDR with behavioural analysis recognising IOA patterns. Combine IOA detection with IOC matching for a complete picture. Define IOA detection rules based on MITRE ATT&CK techniques. Conduct threat hunting for IOA patterns.
How DEFION helps
DEFION integrates IOA-based detection in Managed Threat Detection. Threat hunting specifically searches for IOA patterns indicating advanced attacks. Purple Teaming validates IOA detection rule effectiveness.