Skip to main content

IOC: Indicator of compromise

Pieces of forensic data, such as data found in system log entries or files, that identify potentially malicious activity on a system or network.

IOC aid in detecting data breaches, malware infections, or other threat activity. By monitoring for IOC, organizations can detect attacks and act quickly to prevent breaches from occurring or limit damages by stopping attacks in earlier stages.

IOC act as breadcrumbs that lead infosec teams to detect malicious activity early in the attack sequence. These unusual activities are the red flags that indicate a potential or in progress attack that could lead to a data breach or systems compromise.

IOC vs Indicators of Attack (IOA)

IOA are simlar to IOCs, but rather than focusing on forensic analysis of a compromise that has already taken place, IOA focus on identifying attacker activity while an attack is in progress.

IOCs help answer the question "What happened?", while IOAs can help answer questions like "What is happening and why?".

Examples

  • Unusual Outbound Network Traffic

  • Anomalies in Privileged User Account Activity

  • Geographical Irregularities

  • Log-In Red Flags

  • Increases in Database Read Volume

  • HTML Response Sizes

  • Large Numbers of Requests for the Same File

  • Mismatched Port-Application Traffic

  • Suspicious Registry or System File Changes

  • Unusual DNS Requests

  • Unexpected Patching of Systems

  • Mobile Device Profile Changes

  • Bundles of Data in the Wrong Place

  • Web Traffic with Unhuman Behavior

  • Signs of DDoS Activity