Definition

indicators of compromise (IOC)

By

Robert Sheldon
Madelyn Bacon, TechTarget

What are indicators of compromise (IOC)?

An indicator of compromise (IOC) is a piece of digital forensic evidence that points to the likely breach of a network or endpoint system. The breach might be the result of malware, compromised credentials, insider threats or other malicious behavior. By the time a security team discovers an IOC, it's likely that a breach has already occurred, which means that data could have been compromised. Even so, an IOC can still help the security team eliminate the threat and limit the damage.

Security teams typically monitor for IOCs as part of a larger cybersecurity strategy. The quicker they can discover and act upon discovered IOCs, the more effectively they can respond to that breach. If security teams catch an IOC breach in progress, they might be able to contain the damage. IOCs can also provide teams with insight into the nature of a breach so they can more effectively protect the systems going forward and improve the overall incident response processes.

Types of indicators of compromise

Security teams rely on a wide range of IOCs to protect network and endpoint systems. Various sources categorize IOCs in different ways. One approach is to separate them into three broad categories:

Network-based. Network-based IOCs can include events such as unusual traffic patterns or the unexpected use of protocols or ports. For example, there might be a sudden increase in traffic to a specific website or unexpected connections to URLs, IP addresses or domains that are known to be malicious.
Host-based. Host-based IOCs reveal suspicious behavior on individual endpoints. They can include a wide range of potential threats, including unknown processes, suspicious hash files or other types of files, changes to system settings or file permissions, or changes to file names, extensions or locations. File-based IOCs are sometimes treated as a separate category from host-based IOCs.
Behavioral. Behavioral IOCs reflect behaviors across the network or computer systems, such as repeated failed login attempts or logins at unusual times. This category is sometimes incorporated into the other categories.

By using the various types of IOCs, security teams can more competently detect and respond to security breaches, as well as be more proactive in preventing them. The teams can also share this information with other organizations to help improve incident response and computer forensics. Such cooperation has led to standard threat intelligence feeds such as OpenIOC and STIX/TAXII, among others.

Examples of common IOCs: suspicious hash files, malicious software and code, dangerous IP addresses and digital footprint or indicator of an attacker's work. — Security teams rely on a range of IOCs to protect network and endpoint systems. Here are a few examples of common IOCs.

Security professionals look for IOCs in system and security logs, network traffic monitoring systems, enterprise security platforms and other sources. Examples of IOCs include the following:

Unusual inbound or outbound network traffic patterns, such as unexpected spikes in outbound data transfers.
Unexpected increases in the number of database reads, which can occur when attackers try to extract data.
Unusual activity for privileged or administrator accounts, such as requests for expanded permissions.
Login anomalies or unusual attempts to access resources, such as a sudden increase in access requests.
Unknown files, services, processes or applications suddenly appearing on a system, such as unexpected software installations.
Suspicious changes to registries, system files or system configurations, which can occur if an attacker is trying to take control of a system.
Geographic anomalies, such as unexplained traffic from a particular country or region.
Unusual domain name system requests, which can occur as a result of command-and-control attacks.
File-related anomalies, such as a spike in requests for the same file.

By tracking these and other unusual activities, security teams can respond to malicious behavior quickly and effectively. However, IOC tracking alone is not enough to fully protect network and endpoint systems. For this reason, most organizations track IOCs in conjunction with solutions such as security information and event management, extended detection and response, endpoint detection and response, and intrusion detection system, among others.

Explore top incident response service providers, vendors and software and cloud incident response frameworks and best practices. Read about five digital forensics tools experts use. Learn all about threat detection and response and threat hunting techniques, tactics and strategies. Check out 12 common types of malware attacks and how to prevent them.

This was last updated in January 2024

Continue Reading About indicators of compromise (IOC)

Industrial control system security needs ICS threat intelligence

Top SOAR use cases to implement in enterprise SOCs

Threat intelligence offers promise, but limitations remain

Security log management and logging best practices

Ransomware detection techniques to catch an attack

Dig Deeper on Security operations and management

Search Networking

12 remote access security risks and how to prevent them
Enterprises face myriad remote access security concerns, but training and clear communication can help bolster security programs ...
How to use Cilium Hubble for network observability
Cilium's Hubble tool provides network observability while working in Kubernetes. This guide explains how Hubble works and how to ...
HPE Aruba deepens network security and OpsRamp visibility
A new 'digital circuit breaker' capability for HPE Private Clouds, increased visibility of third-party hardware with OpsRamp and ...

Search CIO

Key differences between chief data officers vs. CIOs
CDOs and CIOs hold distinct roles in the tech-driven C-suite. Both roles are key to improving data collection and usage ...
Chief digital officer vs. chief technology officer: An explainer
For many enterprise organizations, CDOs focus mostly on digital strategy and customer engagement, while CTOs focus on managing ...
Enterprise risk management team: Roles and responsibilities
Every facet of business operations is exposed to risks, requiring a risk management team that's composed of a diverse mix of ...

Search Enterprise Desktop

End users can code with AI, but IT must be wary
The scale and speed of generative AI coding -- known as vibe coding -- are powerful, but users might be misapplying this ...
10 troubleshooting steps for when Windows Update is frozen
When a Windows desktop is frozen and can't update, there could be many causes. The troubleshooting process can be complicated, ...
Troubleshooting the most common issues with Windows 11
When Windows 11 administrators encounter an issue with a desktop without a clear fix, they should perform general troubleshooting...

Search Cloud Computing

Nutanix expands storage, Kubernetes and AI platforms at Next
The latest capabilities and partnerships highlighted at Nutanix's Next conference expand disaggregated storage to Pure Storage, ...
Explore edge computing services in the cloud
Discover the powerful advantages of edge computing over cloud computing, delivering faster performance and significantly lowering...
A guide to the CompTIA Cloud Essentials+ certification exam
The CompTIA Cloud Essentials+ certification empowers nontechnical professionals with essential cloud knowledge to make informed ...

ComputerWeekly.com

Threats versus potential benefits: Weighing up the enterprise risk of embracing AI
Technological opportunities typically come with a certain amount of risk – and generative AI adoption is no exception
UK broadband hits 2025 target with strong first quarter
Study from UK communications regulator finds gigabit broadband on track to become virtually universally available across country ...
Ransomware: What the LockBit 3.0 data leak reveals
An administration interface instance for the ransomware franchise's affiliates was attacked on 29 April. Data from its SQL ...

Close