Threat Analysis

Indicator of Attack (IOA)

An indicator of attack is a behavioral signal that suggests an attack is underway, even if no confirmed compromise artifact has been observed yet.

What Is an IOA?

Unlike an IOC, which often points to something that has already happened, an IOA focuses on suspicious behavior such as process chains, credential abuse patterns, or unusual privilege changes. These signals are useful because they can detect attacker activity even when malware signatures or static artifacts are absent.

Common IOA Examples

  1. Suspicious Process Behavior: A script interpreter spawning credential dumping tools
  2. Privilege Abuse: Unexpected elevation or lateral movement activity
  3. Execution Chains: Tool sequences commonly associated with intrusion playbooks
  4. Living-off-the-Land Use: Legitimate binaries used in suspicious ways

Why IOAs Matter

IOAs support earlier and more resilient detection. Because they focus on behaviors instead of fixed artifacts, they are often more effective against attackers who frequently change payloads, domains, or infrastructure.

How FourCore ATTACK Relates

FourCore ATTACK helps teams validate whether behavior-based detections trigger during controlled attack emulation. That makes it useful for tuning IOA-focused analytics and response workflows.

Related Terms

Related Reading