IOC - Indicators of Compromise
IOC (Indicators of Compromise, also “Indicators of Intrusion” or “Threat Indicators”) are observable artifacts in a system or network that indicate an intrusion or compromise, providing evidence that a cyber threat has compromised security. These indicators can include anomalous network traffic patterns, malicious files, modifications in system logs, suspicious user activity, or configuration changes, being fundamental for early threat detection, forensic analysis, and incident response, allowing security teams to identify and respond to security incidents quickly and effectively.
What are IOC?
IOC are evidence that suggests a system or network has been compromised by a cyber threat.
Types of IOC
Network IOC
- Malicious IPs: Suspicious IP addresses
- Domains: Malicious domains
- URLs: Malicious URLs
- Ports: Ports used by malware
File IOC
- Hashes: Hashes of malicious files
- Names: Suspicious file names
- Paths: Paths of malicious files
- Sizes: Suspicious file sizes
System IOC
- Processes: Malicious processes
- Services: Suspicious services
- Registry: Malicious registry entries
- Events: System events
Behavior IOC
- Communications: Suspicious communications
- Access: Anomalous access
- Activities: Unusual activities
- Patterns: Behavior patterns
Classification
Confidence Level
- High: High confidence in malice
- Medium: Medium confidence
- Low: Low confidence
- Unknown: Unknown
Threat Type
- Malware: Malware indicators
- APT: APT indicators
- Botnet: Botnet indicators
- Phishing: Phishing indicators
IOC Sources
Commercial
- Threat Intelligence: Intelligence services
- Vendors: Security vendors
- CERTs: Response teams
- Governments: Government agencies
Open Source
- MISP: Sharing platform
- OpenCTI: Threat intelligence platform
- Feeds: Threat intelligence feeds
- Community: Security community
Internal
- SIEM: Event management systems
- EDR: Endpoint detection systems
- Logs: Log analysis
- Forensics: Forensic analysis
Implementation
Collection
- Automation: Automatic collection
- APIs: API integration
- Feeds: Feed subscription
- Manual: Manual collection
Processing
- Normalization: Data normalization
- Enrichment: Context enrichment
- Correlation: Event correlation
- Analysis: Pattern analysis
Application
- Detection: Detection systems
- Blocking: Blocking systems
- Alerts: Alert systems
- Response: Response systems
Tools
Management
- MISP: Management platform
- OpenCTI: Threat intelligence platform
- ThreatConnect: Commercial platform
- Anomali: Commercial platform
Analysis
- YARA: Rule engine
- Sigma: Detection rules
- STIX/TAXII: Threat intelligence standards
- IOC Editor: IOC editor
Best Practices
Quality
- Verification: Verify IOC before using
- Context: Provide context
- Updates: Keep updated
- Deprecation: Deprecate obsolete IOC
Sharing
- Standards: Use standards
- Format: Consistent format
- Metadata: Include metadata
- Privacy: Consider privacy
Application
- Prioritization: Prioritize IOC
- Context: Apply context
- Monitoring: Monitor effectiveness
- Improvement: Continuously improve
Related Concepts
- Security Breaches - Incidents that generate IOC
- Attack Vectors - Methods that generate IOC
- Patient 0 - System that generates IOC
- APT - Threats that generate IOC
- Incident Response - Process that uses IOC
- Forensic Analysis - Methodology that identifies IOC
- Penetration Testing - Technique that generates IOC
- SIEM - System that correlates IOC
- SOAR - Automation that processes IOC
- EDR - Tool that detects IOC
- Firewall - Device that generates IOC
- CISO - Role that manages IOC