IOC vs IOA Reference
Why APTs deliberately rotate IOCs to defeat signature-based detection -- and why behavioural detection (IOA) is essential for catching nation-state actors. Practical examples of each, with detection logic for IOAs.
IOC -- Indicator of Compromise
Forensic artefacts proving a breach occurred
Static, specific, and fragile. Once known, an APT actor can change them in minutes. An APT group can generate thousands of new C2 domains per campaign.
Examples
malware.exe (file hash)
evil.com (C2 domain)
d41d8cd98f00b... (MD5 hash)
HKCU\...\Run\MalKey (registry)
IOA -- Indicator of Attack
Behavioural patterns revealing attacker intent
Durable, behavioural, and hard to change. An APT cannot change their core TTPs without retraining their entire team. The way Sidewinder uses EQNEDT32 has not changed since 2017.
Examples
Office app making outbound HTTP
PowerShell -enc from Office process
LSASS accessed by non-AV process
ntdsutil.exe with IFM argument
The Pyramid of Pain
David Bianco's Pyramid of Pain describes how difficult it is for an attacker to change each type of indicator. Higher in the pyramid = more painful for the attacker if detected.