What are indicators of compromise (IoC)?

Indicators of compromise (IoC) are evidence left behind by an attacker or malicious software that can be used to identify a security incident.

Learning Objectives

After reading this article you will be able to:

  • Define indicators of compromise (IoC)
  • Highlight common IoCs
  • Learn how to use IoCs to improve detection and response

Copy article link

What are indicators of compromise (IoC)?

Indicators of compromise (IoCs) are information about a specific security breach that can help security teams determine if an attack has taken place. This information can include details about the attack, such as the type of malware used, the IP addresses involved, and other technical details. Indicators of compromise can also include metadata or additional information that may help identify the attackers or their motives.

How do indicators of compromise (IoC) work?

Indicators of compromise (IoC) help organizations identify and verify the presence of malicious software on a device or network. When an attack happens, it leaves behind traces of evidence. Security professionals can use the evidence to detect, investigate, and respond to security incidents.

IoCs can be obtained through several methods, including:

  • Observation: watching for abnormal activity or behavior in systems or devices
  • Analysis: determining the characteristics of the suspicious activity and analyzing its impact
  • Signatures: identifying known malicious software signatures

What are the common types of IoCs?

There are several different types of IoC that can be used to detect security incidents. They include:

  • Network-based IoCs, such as malicious IP addresses, domains, or URLs. They can also include network traffic patterns, such as unusual port activity, network connections to known malicious hosts, or patterns of data exfiltration.
  • Host-based IoCs are related to activity on a specific host, such as a workstation or server. Examples of host-based IoCs include file names or hashes, registry keys, or suspicious processes running on the host
  • File-based IoCs include malicious files, such as malware or scripts used by an attacker.
  • Behavioral IoCs include different types of suspicious behavior, such as unusual network traffic patterns or system activity, unusual logins or authentication attempts, or unusual user behavior.
  • Metadata IoCs are related to the metadata associated with a particular file or document, such as the author, creation date, or version information.

Indicators of compromise vs. indicators of attack

IoCs are similar to, but not exactly the same as, indicators of attack (IoA). IoAs focus on the likelihood that a specific action or event may result in a threat.

For example, an IoA might indicate a high probability that an adversary is planning to launch a distributed denial-of-service (DDOS) attack against a website. An IoC could be evidence of unauthorized access to a network or system, such as the transfer of large amounts of data.

Often, security teams rely on both IoAs and IoCs to identify attacker behavior. To use another example, an IoC may identify unusually high network traffic, while the IoA is the observation that it may indicate an imminent DDoS attack. Both indicators can help provide insight into potential threats and vulnerabilities in networks and systems.

Indicators of compromise best practices

Indicators of compromise (IoC) best practices include using automated and manual tools to monitor and analyze evidence of cyber attacks. These tools can help organizations quickly identify the presence of malicious activity without manually examining every piece of data.

It is also important to regularly update IoC procedures as new technologies and attack vectors emerge. By staying up-to-date on IoC best practices, organizations can stay ahead of the threat landscape and protect themselves from malicious activity.

Cloudforce One

Cloudforce One is a threat operations and research team created to track and disrupt threat actors. The team’s advanced threat intelligence capabilities allow a comprehensive coverage of all entities in the threat landscape and help organizations take action before any threats can cause damage.