Indicator of Attack (IoA)
What is Indicator of Attack (IoA)?
Indicator of Attack (IoA)Behavioral evidence that an attacker is attempting an intrusion right now, focused on intent and technique rather than after-the-fact artifacts.
An Indicator of Attack describes adversary behavior in progress: code execution, persistence attempts, privilege escalation, credential dumping, lateral movement, exfiltration. Unlike IoCs, which are atomic and easy for attackers to rotate, IoAs are tied to techniques and harder to evade because changing them requires changing the underlying tradecraft. IoAs map cleanly onto MITRE ATT&CK techniques and underpin behavior-based detection in EDR, XDR, and modern SIEM analytics. Effective IoAs identify the why and how of an action — for example, an Office process spawning PowerShell that downloads from an external domain — and trigger response before damage occurs.
● Examples
- 01
An IoA triggers when winword.exe spawns powershell.exe with an encoded command line.
- 02
An IoA for credential theft: LSASS memory accessed by an unsigned process.
● Frequently asked questions
What is Indicator of Attack (IoA)?
Behavioral evidence that an attacker is attempting an intrusion right now, focused on intent and technique rather than after-the-fact artifacts. It belongs to the Defense & Operations category of cybersecurity.
What does Indicator of Attack (IoA) mean?
Behavioral evidence that an attacker is attempting an intrusion right now, focused on intent and technique rather than after-the-fact artifacts.
How do you defend against Indicator of Attack (IoA)?
Defences for Indicator of Attack (IoA) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Indicator of Attack (IoA)?
Common alternative names include: IoA, Behavioral indicator.