What is an Indicator of Compromise

Home / Security Introduction / What is an Indicator of Compromise

An Indicator of Compromise (IOC) is a forensic artifact that identifies a potentially malicious activity on a system or network. IOCs are important for both prevention and detection of cyber threats. By inputting IOCs of new cyber threats into software products they can block any processes that match these IOCs and therefore detect the threat before it can get inside the network. IOCs that are used to detect an attack before it can compromise a network are also known as indicators of attack (IOA), they represent a proactive approach. On the reactive side, by scanning a network or machine looking for IOCs you can find a threat that may have infected the network already, then you are free to quarantine and delete that threat.  IOCs are also heavily used in threat hunting activities as one of the main things that professionals look for when doing manual searches, IOCs aren’t just limited to being inputted into the company’s software.

Examples of Indicators of Compromise, courtesy of dark reading

  • IP Addresses

  • Domain Name

  • Unusual Outbound Network Traffic

  • Anomalies in Privileged User Account Activity

  • Geographical Irregularities

  • Log-In Red Flags

  • Increases in Database Read Volume

  • HTML Response Sizes

  • Large Numbers of Requests for the Same File

  • Mismatched Port-Application Traffic

  • Suspicious Registry or System File Changes

  • Unusual DNS Requests

  • Unexpected Patching of Systems

  • Mobile Device Profile Changes

  • Bundles of Data in the Wrong Place

  • Web Traffic with Inhuman Behavior

  • Signs of DDoS Activity

  • File Hashes

Indicators of Compromise are signs of malicious activity on a computer network or a machine. IOCs can be proactive (IOA) or they can be reactive. IOAs are used to identify attacks by attackers before they enter the network allowing companies to block those actions ahead of time. IOCs are used to scan the network to see if anyone has gotten access to the network without the company’s knowledge. Overall, IOCs are used to improve detection and response time by companies. Finding and passing on IOCs are typically the responsibility of a company’s threat intelligence team. Additionally, many cybersecurity software vendors have their own threat intelligence teams and will update their products with any IOCs they find without the client needing to do any work.