Understanding Indicators of Attack vs Compromise

It’s the choice between stopping an attack before it gets in or detecting a compromise after it affects your company

There are two main methods of detection in the security marketplace—Indicators of Attack (IoA) and Indicators of Compromise (IoC). The two methods approach detection in vastly different ways. 

In this Quick Read, we’ll cut through the crosstalk to compare and contrast IoAs and IoCs. Plus, we’ll share examples of Capsule8 Protect’s different approach to attack protection. 

How IoCs and IoAs Work

Indicators of Compromise

Systems that work by detecting IoCs are reactive. They look at events in retrospect—essentially flagging problems after they’ve happened. IoCs include specific after-the-fact markings to confirm a compromise to a company’s defenses, including:
  • IP addresses, files, and other markers
  • Specific behavior of known attacks
  • A focus on post-exploitation tooling and command and control
Because of the way they are set up, systems that are based on IoCs, although they show that a threat actor has compromised a system, can also generate high false positives. Moreover, IoCs are reactive because, by their nature, they only spring into action once a compromise has happened, which can leave an operation vulnerable.

Indicators of Attack

Conversely, although they are able to conduct after-the-fact investigations to uncover the markings of a compromise, systems that detect IoAs work in real-time to detect exploits as they happen. Such systems:
  • Detect exploitation techniques
  • Provide real-time visibility across your environment
  • Are agnostic to individual vulnerabilities
  • Work proactively to identify unknown or emerging exploits and attacks
IoA-based detection looks at an attacker’s behavior, regardless of whether the attacker is using a known or unknown attack. An attacker doesn’t need malware to compromise your system, so an IoA-based system is ideal for stopping perpetrators before they penetrate your defenses.

Download this content as a PDF

Linux Monitoring Requirements for IoA Detection

The rapid adoption of Linux-based microservices in enterprises has driven the shift to solutions that detect IoAs. For those in SecOps, a modern IoA detection approach must be:

  • Deployed at the local and host level (i.e., utilizing user space code that gathers telemetry from various sources)
  • Flexible enough to detect generic exploitation techniques 
  • Rolled up to generate high-value alerts at low volume 
  • Lightweight enough to not disrupt production
  • Integrated into the existing build chain

Capsule8 Protect is the only attack protection solution that: 

  • Deploys out-of-the-box sensors  
  • Detects locally and analyzes all exploit data
  • Alerts you only when specific security policies are violated
  • Enforces hard limits to system CPU, disk and memory using a resource limiter and an intelligent load-shedding strategy
  • Is fully extensible with an API-first perspective

See Linux Monitoring and Response in Action

Download our Technical Primer: Demonstration of Detection Capabilities in Capsule8 Protect to learn how we support modern Linux environments without slowing down production.

Protection Without Slowing Production

A system that keeps you safe but doesn’t let you get your work done will produce one of two results: Your company’s productivity will slow to a crawl or your employees will start using workarounds that will leave you even more vulnerable than before.

So it’s critical that the approach you take, whether it’s IoA- or IoC-based, not disrupt production. But even though one part of your company might think things are going well with the chosen protection method, another might encounter disruptions. For example, SecOps might think things are humming along nicely, but that doesn’t necessarily mean Ops will feel the same, especially when you’re dealing with agents and kernel modules.

Capsule8 Solves the Problem in a Different Way

Capsule8 enables IoC and IoA methods but we believe IoA is the superior method for today’s advanced attacks.

So we engineered Capsule8 Protect using the kprobe + perf approach to Linux monitoring. kprobes are subsystems that grant visibility into the kernel via syscalls between specific processes. When used in conjunction with perf, a stabler alternative to kernel modules, you can extract kernel data without performance compromise.

The kprobe + perf approach designed by Capsule8 Protect is a safer way to perform Linux monitoring because it:

  • Doesn’t require a kernel module to deploy
  • Can’t crash the kernel
  • Won’t flood the network
  • Won’t require extra config labor by Ops

Different Approaches to Linux Monitoring

Learn more about this better way to do Linux monitoring in our recent blog post.


Customer needs are at the core of Capsule8 Protect 

  • With Capsule8 Protect in place, security teams can detect active exploits as well as known malware and other security issues.
  • Capsule8 Protect prepares your operation with the right telemetry, so you can respond to exploits, cost- and time-efficiently, as they happen
  • Capsule8 Protect supports the way you work. It’s infrastructure and cloud agnostic, cost tunable, and enables you to meet controls that can help you comply with policies. Plus, it’s low maintenance and is suitable for both SecOps and Ops teams.