It refers to the behavior necessary for an attacker to carry out an attack and the pattern for capturing the movement of malware/tools.
For example, ransomware encrypts files on the device when executed and demands money from the victim along with providing the decryption key. As such, cybercriminals using ransomware also employ attack techniques that are not easily reversible. One of them is the ability to delete the backup area called Volume Shadow Copy on Windows devices.
In such actions performed by attackers, IOA focuses on the step of deleting Volume Shadow Copy. You can interrupt the encryption act.
A similar term is IOC (Indicator Of Compromise). This IOC is a concept that focuses on detection by focusing on traces of infection, that is, malware/tool hashes and registry keys that remain as a result of being compromised by an attack.
These “traces” can be changed relatively easily by an attacker, and in many cases can quickly become a mere mere existence.
As mentioned above, IOA focuses on the behavior patterns taken by attackers, so it is difficult for attackers to change easily, and it tends to be less formal than IOC.