I
IOC (Indicator of Compromise)
Evidence that indicates a security breach has occurred, such as malicious IP addresses, file hashes, or unusual system behaviors.
What is an IOC?
An Indicator of Compromise (IOC) is a piece of forensic data that identifies potentially malicious activity on a system or network. IOCs help security teams detect breaches and understand the nature of attacks.
Types of IOCs
Network-based:
- IP addresses of known malicious servers
- Domain names used in attacks
- URLs of malware distribution sites
- Unusual network traffic patterns
Host-based:
- File hashes (MD5, SHA-1, SHA-256)
- Registry modifications
- Suspicious file paths
- Process names and behaviors
Behavioral:
- Unusual login patterns
- Data exfiltration signs
- Privilege escalation attempts
- Lateral movement indicators
Using IOCs
- Collection: Gather IOCs from intel sources
- Integration: Import into security tools
- Detection: Monitor for IOC matches
- Response: Investigate and contain threats
- Sharing: Contribute to threat intelligence
IOC Sources
- Threat intelligence feeds
- Security vendor reports
- ISACs (Information Sharing and Analysis Centers)
- Open source intelligence
- Internal incident analysis