Explain the difference between Indicators of Compromise (IOCs) and Indicators of Attack (IOAs).
Short answer
An IOC is a forensic artifact that something bad already happened — a malicious file hash, a C2 IP or domain, a known-bad registry key. An IOA is a behavioral signal of an attack unfolding regardless of the specific tools — e.g. a Word document spawning PowerShell, then reaching out to the internet. IOCs are reactive and easy to evade by changing a hash; IOAs catch intent and survive tool changes.
This question separates analysts who match signatures from analysts who understand behavior. Both indicator types matter, but they answer different questions and have very different shelf lives.
Indicators of Compromise (IOCs)
An IOC is a concrete artifact that proves, or strongly suggests, a system was breached: a malicious file hash, a known C2 domain or IP, a specific mutex, a malicious registry run key, or a phishing sender address. IOCs are excellent for fast, scalable matching — feed them to your SIEM or EDR and block them. The weakness is fragility: an attacker recompiles the malware and the hash changes; they rotate infrastructure and the IP is dead. IOCs are inherently reactive — they come from something that already happened, often to someone else.
Indicators of Attack (IOAs)
An IOA describes what the adversary is doing, not what they used. Examples: a macro-enabled document spawning powershell.exe, that process then making an outbound connection, then dumping LSASS memory. None of those steps depends on a specific hash. Because IOAs target behavior and intent, they keep working even when the attacker swaps tools — which maps to the painful top of David Bianco's Pyramid of Pain (TTPs).
Why this matters
Strong detection programs use both: IOCs for cheap, high-confidence blocking of known-bad, and IOAs for catching novel or in-progress attacks that have no signature yet. Interviewers want to hear that you know IOCs are easy to evade, that IOAs cost the attacker more to defeat, and that mature SOCs invest in behavioral detection rather than living off threat-feed hashes alone.
Likely follow-ups
- Why can an attacker evade IOC-based detection so easily?
- Give an example of an IOA that has no associated IOC.
- Where do the Pyramid of Pain levels fit into this?