Evolution of Cyber Defense (IOC vs IOA vs AID)

Identification of the problem

The information that passes through cyberspace is a high-value gem for threat actors, which is why they look for vulnerabilities in services exposed to the Internet to carry out cybercrimes (initial compromise, elevation of privileges, persistence, lateral movement, exfiltration and kidnapping or destruction of the target) this for different motivations. Likewise, the most active attack is directed at users where the victim is intended to click on a link sent by any messaging service to be redirected to a website infected with the thief, simply visiting the compromised website for the system also belongs to the remote one. attacker, does not require further user interaction. Advanced 0-day malware is also distributed in PDF, xlsx, docx files such as knowledge collaboration documents or hacked documents in Telegram groups or via email; Malware is also distributed in pirated commercial programs after cracking them to give them away on free software distribution websites, waiting to be executed (opened). There is also malware that is hosted on a USB whose purpose is for a worker at the target company to access it. find for the user to plug this device into any available computer. The main characteristic of these 0-day malware is that they are not detected by cybersecurity solutions

Therefore, there is a need to anticipate to support cybersecurity against the actions of cybercriminals. The CTI will allow the development of skills to mitigate and respond immediately to possible incidents.


Cyber threat intelligence is the processing of collected data into Intelligence, evaluated in the context of its source and reliability, and analyzed through rigorous and structured techniques by experienced specialists, all of this helps to identify threats, opportunities, similarities and differences in large amounts of information to produce accurate, timely and relevant intelligence.

CTI benefits by role or function

  • Security/IT Analyst: CTI optimizes prevention and detection capabilities to strengthen defenses.
  • SOC: CTI prioritizes incidents based on risk and impact on the organization.
  • CSIRT: In accelerating investigations, management and prioritization of incidents.
  • Intelligence Analyst: In the discovery and tracking of threat actors targeting the organization.
  • Executive Management: In understanding the risks facing the organization and how to address their impact.


Indicators of compromise are evidence of security incidents or breaches, obtained in most cases as a result of digital forensic analysis. That being said, the IOC is the result of an unauthorized intrusion where the attacker maintained persistence between 2 months up to 5 years within the organization, the IOC is added to the cybersecurity solution in the hope that it will block an attack that lost its effect Surprise (it's no longer a 0-day), in any case it is useful for blocking common cyber attacks.

An IOC can be a hash of malware, an exploit, a vulnerability and IP addresses, this information is used to create new rules in cybersecurity tools so that they can detect suspicious files in the future. The Indicator of Compromise (IOC) has a reactive approach.

IOCs are useful against botnet attacks.

An IOC has a null action on 0-day attacks.


Attack Indicators seek to detect early signs of what the cyber attacker is doing during the initial compromise attempt or to bypass security with 0-day malware, identifying their post-exploitation activities (persistence and lateral movement in the network).

An IOA has a proactive approach, once the cyber attacker manages to compromise the technological asset, the control of the incident will largely depend on the technical capabilities of the threat hunting operator.

The Threat Hunting operator relies on Cybersecurity tools that manage the IOA (solutions with ML) that try to contain the threat. To determine an effective control action, we must take into account that there are advanced capabilities that are not mapped by the common modeling frameworks, so they can bypass an XDR and other Machine Learning solutions.


Attack Indicators Deployed (AID) is a new concept coined by researcher Rafael Huaman Medina as a result of the need to detect malware and unknown payloads deployed in cyberspace in order to anticipate and neutralize the terror of any organization, the 0days for targeted campaigns.

Attack Indicators Deployed (AID) are evidence of a malicious campaign in the implementation phase or already deployed, as well as C2 that sleep waiting for a netizen to visit the infected website, or for a user to execute a shared file. The objective of an AID is to add it to the cybersecurity solution to anticipate the attack of advanced cyber threats and neutralize it effectively. The research of cyber intelligence and threat hunting specialists through the identification and analysis of payloads or 0-day malware deployed in Cyberspace allows assigning an identifier (hash or IP) to the AID, which due to its 0-day malware characteristics day will evade the security of all cybersecurity solutions by compromising the target asset, these 0-day malware are associated with stealers, rats, PDF, xlsx, docx files shared in the Cloud, on websites, on Telegram channels, on social networks or by email (phishing), or hosted on cyber USBs used in cyber espionage operations and RaaS (ransomware as a service) campaigns.

An AID will be the ideal support for the information security of any organization, neutralizing attacks of this type.

AID are obtained from the combination of cyber intelligence and threat hunting operations in cyberspace.

The AID has an effective action against targeted campaigns with 0days, neutralizing its action, this is the ideal solution for cyber defense.

Let's analyze the difference between IOC and IOA and AID:

In the image we can see that an IOC seeks to alert about a past attack that affected another organization, in a "targeted campaign" the IOC is likely to be inefficient because the attacker will change the object (payload, IP, etc.), in this example we see that a 0day is used, so the IOC is not useful in this type of scenario. As a consequence, the system is compromised and controlled by cybercrime.

While an IOA seeks to provide early warning during an active or ongoing attack, here the 0day will bypass the security of cybersecurity solutions, the IOA will be useful in supporting the incident response team by searching for the intruder, a race is unleashed to contain and reduce the impact of post-exploitation. As a consequence, the system is compromised but the threat hunt carried out by cyber defense operators begins.

The AID will effectively prevent the incident by neutralizing the digital campaign, being the most effective way of all the previous ones because it will neutralize the cyber attacks directed with 0day.

Always remember: "Knowledge prepares you not to lose to cybercrime."

Share the knowledge with your contacts and please acknowledge the credits for this work, we would greatly appreciate feedback on your favorite social network.