threat intelligence
3 articles with this tag
What is an IOA (Indicator of Attack) — spotting a breach by behavior, not traces
An IOA (Indicator of Attack) spots a breach by the behavior of an attack in progress (privilege escalation → lateral movement → exfiltration). It's the counterpart to the after-the-fact IOC. Attackers swap hashes and IPs instantly, but the technique (behavior) is hard to change — so IOAs last. Even small teams can approach it by watching for behavior that differs from normal.
What is C2 (command and control) — the channel attackers use to control a device after a breach
C2 is the channel a compromised device uses to call back to an attacker's server (a beacon) to receive commands and exfiltrate data — the stage after a breach. The keys to spotting it are suspicious periodic outbound traffic and known-bad destinations. Defenses: egress filtering, DNS monitoring, IOC/IOA matching, least privilege. Confirming 'no resident C2' is a key part of breach investigation.
What is an IOC (Indicator of Compromise) — traces that reveal a breach
An IOC (Indicator of Compromise) is a trace a breach leaves behind — known-bad file hashes, attacker IPs/domains, URLs, unusual processes. Its value is mechanically detecting/blocking known-bad. But it's a reactive clue attackers can swap cheaply, so IOC matching is a last-check, not a cure. The real defense is a design that doesn't burn (least privilege, patching, MFA).