Definition

indicators of compromise (IOC)

By

Robert Sheldon
Madelyn Bacon, TechTarget

What are indicators of compromise (IOC)?

An indicator of compromise (IOC) is a piece of digital forensic evidence that points to the likely breach of a network or endpoint system. The breach might be the result of malware, compromised credentials, insider threats or other malicious behavior. By the time a security team discovers an IOC, it's likely that a breach has already occurred, which means that data could have been compromised. Even so, an IOC can still help the security team eliminate the threat and limit the damage.

Security teams typically monitor for IOCs as part of a larger cybersecurity strategy. The quicker they can discover and act upon discovered IOCs, the more effectively they can respond to that breach. If security teams catch an IOC breach in progress, they might be able to contain the damage. IOCs can also provide teams with insight into the nature of a breach so they can more effectively protect the systems going forward and improve the overall incident response processes.

Types of indicators of compromise

Security teams rely on a wide range of IOCs to protect network and endpoint systems. Various sources categorize IOCs in different ways. One approach is to separate them into three broad categories:

Network-based. Network-based IOCs can include events such as unusual traffic patterns or the unexpected use of protocols or ports. For example, there might be a sudden increase in traffic to a specific website or unexpected connections to URLs, IP addresses or domains that are known to be malicious.
Host-based. Host-based IOCs reveal suspicious behavior on individual endpoints. They can include a wide range of potential threats, including unknown processes, suspicious hash files or other types of files, changes to system settings or file permissions, or changes to file names, extensions or locations. File-based IOCs are sometimes treated as a separate category from host-based IOCs.
Behavioral. Behavioral IOCs reflect behaviors across the network or computer systems, such as repeated failed login attempts or logins at unusual times. This category is sometimes incorporated into the other categories.

By using the various types of IOCs, security teams can more competently detect and respond to security breaches, as well as be more proactive in preventing them. The teams can also share this information with other organizations to help improve incident response and computer forensics. Such cooperation has led to standard threat intelligence feeds such as OpenIOC and STIX/TAXII, among others.

Examples of common IOCs: suspicious hash files, malicious software and code, dangerous IP addresses and digital footprint or indicator of an attacker's work. — Security teams rely on a range of IOCs to protect network and endpoint systems. Here are a few examples of common IOCs.

Security professionals look for IOCs in system and security logs, network traffic monitoring systems, enterprise security platforms and other sources. Examples of IOCs include the following:

Unusual inbound or outbound network traffic patterns, such as unexpected spikes in outbound data transfers.
Unexpected increases in the number of database reads, which can occur when attackers try to extract data.
Unusual activity for privileged or administrator accounts, such as requests for expanded permissions.
Login anomalies or unusual attempts to access resources, such as a sudden increase in access requests.
Unknown files, services, processes or applications suddenly appearing on a system, such as unexpected software installations.
Suspicious changes to registries, system files or system configurations, which can occur if an attacker is trying to take control of a system.
Geographic anomalies, such as unexplained traffic from a particular country or region.
Unusual domain name system requests, which can occur as a result of command-and-control attacks.
File-related anomalies, such as a spike in requests for the same file.

By tracking these and other unusual activities, security teams can respond to malicious behavior quickly and effectively. However, IOC tracking alone is not enough to fully protect network and endpoint systems. For this reason, most organizations track IOCs in conjunction with solutions such as security information and event management, extended detection and response, endpoint detection and response, and intrusion detection system, among others.

Explore top incident response service providers, vendors and software and cloud incident response frameworks and best practices. Read about five digital forensics tools experts use. Learn all about threat detection and response and threat hunting techniques, tactics and strategies. Check out 12 common types of malware attacks and how to prevent them.

This was last updated in January 2024

Continue Reading About indicators of compromise (IOC)

Industrial control system security needs ICS threat intelligence

Top SOAR use cases to implement in enterprise SOCs

Threat intelligence offers promise, but limitations remain

Security log management and logging best practices

Ransomware detection techniques to catch an attack

Dig Deeper on Security operations and management

Search Networking

How AIOps enables next-generation networking
As networks grow more complex, management becomes more difficult. AIOps can help network administrators transition to and manage ...
BGP routing: A configuration and troubleshooting tutorial
BGP is the internet's core routing protocol, enabling communication between ISPs and large networks. This guide covers its ...
Cisco Live 2025 conference coverage and analysis
Cisco Live 2025 will largely focus on the need to modernize infrastructure with AI capabilities. Use this guide to follow along ...

Search CIO

Proposed U.S. budget cuts raise fears about tech innovation
President Donald Trump's proposed FY 2026 budget slashes funding for federal agencies, including NSF and NIST, which support tech...
RIT showcase offers glimpse of early tech innovation cycle
Connected vehicle security, AI and 3D printing were among the technologies featured at Imagine RIT, an annual exhibition focusing...
Contempt order worsens Apple's antitrust woes
A federal judge found Apple to be in contempt of an injunction ordering the company to make access to alternative payment options...

Search Enterprise Desktop

How to create a custom Windows 11 image with Hyper-V
When administrators can deploy Windows systems in many ways, creating a custom VM with Hyper-V enables them to efficiently deploy...
End users can code with AI, but IT must be wary
The scale and speed of generative AI coding -- known as vibe coding -- are powerful, but users might be misapplying this ...
10 troubleshooting steps for when Windows Update is frozen
When a Windows desktop is frozen and can't update, there could be many causes. The troubleshooting process can be complicated, ...

Search Cloud Computing

Get started with Amazon Q Developer
Amazon Q Developer is a versatile tool for software development, offering code generation, optimization recommendations and ...
HPE adds Morpheus Data to KVM hypervisor for enterprises
A KVM hypervisor by Hewlett-Packard Enterprise evolves with technology and capabilities from Morpheus Data, an HPE acquisition, ...
Gain insights with Enhanced Monitoring in Amazon RDS
RDS Enhanced Monitoring provides teams with additional data visibility to improve database scalability, performance, availability...

ComputerWeekly.com

Connectivity kicks in for Sunderland at the Stadium of Light
Sunderland AFC enhances high-demand density connectivity coverage, capacity and performance across stadium involving leading ...
Chinese cyber spooks lure laid-off US government workers
A Washington DC-based think tank has published evidence that Chinese intelligence services have been running a network of digital...
Trump visit bolsters Saudi AI
A new AI datacentre is among the initiatives the White House announced during the president’s Middle East visits

Close