An Indicator of Compromise (IOC) is a forensic artifact that identifies a potentially malicious activity on a system or network. IOCs are important for both prevention and detection of cyber threats. By inputting IOCs of new cyber threats into software products they can block any processes that match these IOCs and therefore detect the threat before it can get inside the network. IOCs that are used to detect an attack before it can compromise a network are also known as indicators of attack (IOA), they represent a proactive approach. On the reactive side, by scanning a network or machine looking for IOCs you can find a threat that may have infected the network already, then you are free to quarantine and delete that threat.  IOCs are also heavily used in threat hunting activities as one of the main things that professionals look for when doing manual searches, IOCs aren’t just limited to being inputted into the company’s software.

Examples of Indicators of Compromise, courtesy of dark reading

• IP Addresses

• Domain Name

• Unusual Outbound Network Traffic

• Anomalies in Privileged User Account Activity

• Geographical Irregularities

• Log-In Red Flags

• Increases in Database Read Volume

• HTML Response Sizes

• Large Numbers of Requests for the Same File

• Mismatched Port-Application Traffic

• Suspicious Registry or System File Changes

• Unusual DNS Requests

• Unexpected Patching of Systems

• Mobile Device Profile Changes

• Bundles of Data in the Wrong Place

• Web Traffic with Inhuman Behavior

• Signs of DDoS Activity

• File Hashes