Overview: Indicators of Compromise (IOC)

Quick Definition

An Indicator of Compromise (IOC) is a piece of digital forensics that suggests that an endpoint or network may have been breached. Just as with physical evidence, these digital clues help information security professionals identify malicious activity or security threats, such as data breaches, insider threats or malware attacks.

Investigators can gather indicators of compromise manually after noticing suspicious activity or automatically as part of the organization’s cybersecurity monitoring capabilities. This information can be used to help mitigate an in-progress attack or remediate an existing security incident, as well as create “smarter” tools that can detect and quarantine suspicious files in the future.

Unfortunately, IOC monitoring is reactive in nature, which means that if an organization finds an indicator, it is almost certain that they have already been compromised. That said, if the event is in-progress, the quick detection of an IOC could help contain attacks earlier in the attack lifecycle, thus limiting their impact to the business.

As cyber criminals become more sophisticated, indicators of compromise have become more difficult to detect. The most common IOCs—such as an md5 hash, C2 domain or hard coded IP address, registry key and filename—are constantly changing, which makes detection more difficult.