What an IOA does
Indicators of Attack (IOAs) represent the actions taken by an attacker during a cyber incident. Unlike Indicators of Compromise (IOCs), which identify specific files or network addresses, IOAs describe the sequence of behaviours—the ‘how’ of an attack. This makes them more resilient to attacker tactics like payload rotation, where malicious files are frequently changed to evade detection. An IOA might describe privilege escalation techniques, lateral movement across a network, or data exfiltration patterns.
IOAs in Australian tenants today
For AU mid-market organisations, particularly those concerned about sophisticated adversaries, IOA-based detection is increasingly vital. Microsoft Defender XDR offers capabilities for identifying and hunting based on IOAs, allowing security teams to proactively detect attacker behaviours. Aligning IOA hunting strategies with ACSC advisory information and publicly available threat intelligence helps AU SOCs understand and respond to emerging nation-state tactics, techniques, and procedures. The Notifiable Data Breach scheme requires demonstrating reasonable security measures; proactive IOA hunting demonstrates a commitment to this.