Indicators of Compromise (IOC)
Indicators of Compromise (IOC) are pieces of forensic evidence such as IP addresses, file hashes, or registry keys that signal a system or network may have been breached.
Table of Contents
What are IOCs?
IOCs are the breadcrumbs attackers leave behind during intrusions. They provide observable data that security teams can use to detect ongoing or past compromises.
For SecOps, IOCs are central to intrusion detection and threat hunting. They allow analysts to pivot investigations, enrich SIEM alerts, and build detection rules that stop attackers earlier in the kill chain.
How they typically work?
- Detection: forensic tools or sensors identify unusual artifacts.
- Validation: analysts verify whether the IOC is associated with malicious activity.
- Correlation: IOCs are matched against logs across multiple systems.
- Response: systems are isolated or remediated if IOCs confirm compromise.
Common techniques
- File hashes: MD5, SHA1, or SHA256 values of malicious executables.
- Domain names: attacker-controlled domains used in phishing or command-and-control.
- IP addresses: known hostile infrastructure.
- Registry keys: persistence mechanisms in Windows environments.
- Email artifacts: sender addresses or subject lines used in phishing.
- Behavioral IOCs: sequences of actions such as abnormal login patterns.
Impact
IOCs allow defenders to detect compromises faster and respond effectively. They are particularly useful for retrospective analysis, helping analysts determine if an environment was targeted in past campaigns.
However, IOCs are often short-lived, as adversaries change infrastructure quickly. This makes continuous collection and threat intelligence sharing essential. For SecOps, IOCs are valuable when combined with behavioral detection and context.
Further reading
- MITRE ATT&CK: IOCs explained. Read more
- NIST: Guide to Computer Security Log Management. Read more
- FireEye: Understanding IOCs. Read more
- Kaspersky: Types of IOCs. Read more
- AlienVault: IOC overview. Read more