Applying Indicators of Attack

Unlock early attack detection and action


When minutes count: Fighting threats with eight key IoAs

Read Report

A dynamic picture that guides incident response

Incident response is devoted to containment and mitigation, reverse engineering the sequence of events, and cleaning up the damage. However, attributes of an attack can provide actionable intelligence—an indicator of attack (IoA)—moving you from disaster recovery to an active role preventing the attack's success. An indicator of compromise (IoC) reflects an individual known bad, static event, but an IoA only becomes bad based on your situation. Where an IoC supports after-the-fact forensic investigation, an IoA enables in-the-moment incident intervention at every phase of the attack chain.

By collecting, constructing, and sending rich IoA insights to detection, containment, and remediation systems, McAfee and its partners help security analysts build a sustainable advantage against evolving cyberthreats.

Download Solution Brief

Driving the earliest possible attack detection

Collect contextual data that is otherwise lost

Retain the contextual data required for IoAs. McAfee Threat Intelligence Exchange and McAfee Enterprise Security Manager collect and enrich this data, creating actionable IoAs.

Pinpoint and surface high-relevance events for immediate evaluation

Enhanced, dynamic threat and risk scoring reduce false positives and guide security analysts to important events. Fine-grained event attributes find attack trajectories, compromised hosts, and vulnerable systems.

Apply automation confidently for instant response

Actionable details permit targeted processes to automatically and selectively block, disrupt, monitor, or record activities.

Reconstruct a complete forensic chain of events

Piece together attack events to fully understand the path and intent of targeted attacks.

Strengthen your policies, rules, and protections

Predict attack behaviors, educate defenses, and suggest policy and control changes to prevent future repetitions.

Advanced target attacks: It takes a system

Read White Paper


Endpoint Security

Integration with McAfee Threat Intelligence Exchange assesses unknown files. The endpoint agent can allow, block execution, or clean the file, killing a running process. The presence of unknown files can be recorded, so if it is later determined to be part of an attack, the endpoint agent can clean up those hosts.

Network Security

Protect networks with multiple intelligence-aware security controls. By leveraging threat information from multiple sources, gain a real-time understanding of internal and external threats. Receive unknown malware samples from endpoints, gateways, and dissect them using dynamic sandboxing and static code analysis. Collect contextual insights on users, applications, and data, analyze traffic, and share suspicious events and files for further analysis.

Security Management

Baseline, aggregate, and contextualize endpoint sensor events, collecting critical data that otherwise disappears. SIEM solutions collect and correlate event, behavior, and alert information from hundreds of sources, constructing indicators of attack. Use these assessments to launch interventions, containment, mitigation, and remediation.

Related Products & Solutions


McAfee Foundstone guides enterprises of all sizes on the best ways to maintain a strong security posture. Our teams of security experts assess network vulnerabilities, evaluate gaps in information security programs, offer strategies that meet compliance goals, and help develop programs to prepare for security emergencies.