detection
4 articles with this tag
What is an IOA (Indicator of Attack) — spotting a breach by behavior, not traces
An IOA (Indicator of Attack) spots a breach by the behavior of an attack in progress (privilege escalation → lateral movement → exfiltration). It's the counterpart to the after-the-fact IOC. Attackers swap hashes and IPs instantly, but the technique (behavior) is hard to change — so IOAs last. Even small teams can approach it by watching for behavior that differs from normal.
What is C2 (command and control) — the channel attackers use to control a device after a breach
C2 is the channel a compromised device uses to call back to an attacker's server (a beacon) to receive commands and exfiltrate data — the stage after a breach. The keys to spotting it are suspicious periodic outbound traffic and known-bad destinations. Defenses: egress filtering, DNS monitoring, IOC/IOA matching, least privilege. Confirming 'no resident C2' is a key part of breach investigation.
What is EDR — recording endpoint 'behavior' to detect and respond to attacks that slip through
EDR continuously records endpoint behavior, detects suspicious activity (IOA-style), and supports response (isolate, investigate). It catches fileless and living-off-the-land attacks that signature/IOC-based antivirus misses, via behavior and a timeline. Small teams often don't need full EDR — built-in OS protection plus logs plus the IOA mindset gets much of the value.
What is an IOC (Indicator of Compromise) — traces that reveal a breach
An IOC (Indicator of Compromise) is a trace a breach leaves behind — known-bad file hashes, attacker IPs/domains, URLs, unusual processes. Its value is mechanically detecting/blocking known-bad. But it's a reactive clue attackers can swap cheaply, so IOC matching is a last-check, not a cure. The real defense is a design that doesn't burn (least privilege, patching, MFA).