Indicators of Attack vs. Indicators of Compromise

From The Research Team

Indicators of Attack vs. Indicators of Compromise

Indicators of Attack and Indicators of Compromise are two important elements of a cyber-attack. Understanding these key elements can help you ensure that your organization’s cyber security policies and procedures are optimised to identify an attack before it even begins.

Indicators of Attack vs. Indicators of Compromise

The first thing you need to know are the definitions and key differences between an Indicator of Attack (IOA) and an Indicator of Compromise (IOC). An IOA focuses on detecting the intent of what an attacker is trying to accomplish, this is typically an alert or notification BEFORE a network or application is exploited. While an IOC is after the fact, An IOC is often described in the forensics world as evidence on a computer that indicates the security of a network has been breached. 

 

A Real World Example

Let’s use a real-world analogy to better understand these important indicators. A smart bank robber would begin by doing some reconnaissance on the target bank; during this step the robber wants to know what kind of security measures are in place, the best time and tactics to use, and any defensive capabilities before beginning the heist.

The robber then proceeds to execute the attack. IOA’s in this scenario would be the actions the robber does before starting the attack on the bank, such as driving around the bank scouting out any security features and identifying the type of vault used. On the flip side IOC’s would be the evidence left behind after the thief has emptied the vault, such as any fingerprints/footprints, or evidence of tampering, an empty vault, and possibly any tools the robber left behind. 

 

Which Is More Important

Now, you might be thinking to yourself “well these both sound super important”, and right you would be. But think of it this way, would you rather be notified that you are in the process of being hacked, or notified after the bad actor has already gained access to your systems? In almost every case, you would want awareness of the attack, at the first indication of malicious intent or the IOA stage, when observation and planning for the attack begins. This would allow you to fortify your systems before an attack gains access to your network, applications, or data.

If you do not know about an attack on your systems until you notice Indicators of Compromise, everything you do afterwards will be damage control and recovery. Allowing an attack to happen means a loss of valuable time regaining control of your own systems, identifying what was taken and how deep the threat exists. You will lose working hours on current projects, likely notify clients and employees their data has been compromised suffer a loss of trust from your stakeholders.  

 

What To Do

Knowing the difference between Indicators of Attack and Indicators of Compromise is crucial for organizations and you might be thinking, “well shucks how do I identify Indicators of Attack?”


That is where CyNtell comes in to help. Our experts utilize various tools to run constant deep scans of your network in order to identify any vulnerabilities and positively identify indicators of attack and indicators of compromise, then remediate the vulnerabilities to protect your organization. With a combined 35 years of experience, our cyber solutions experts provide the security you are looking for while maintaining a comfortable, transparent, and close relationship with your organization to ensure your valuable digital assets remain secure. 

 CyNtell’s variety of cyber security services that will help your organization maintain a strong cyber security posture. Take a look at all of our expert cyber security solutions.

Looking to speak with a CyNtell Cyber Specialist?
Schedule a Call