Home / Definitions / Indicators of Compromise

Indicators of Compromise

Sam Ingalls
Last Updated January 14, 2022 1:23 pm

When a system administrator finds anomalous or malicious behavior within network traffic, evidence could show it is an indicator of compromise (IOC) showing potential intrusion or cyber attack.

Indicators of compromise (IOCs) is a term used in the cybersecurity industry to describe the breadcrumbs left behind by threat actors following a security event. These pieces of forensic evidence offer stakeholders visibility into how a breach took place, the result of the breach, and more.

What are Indicators of Compromise (IOCs)?

Indicators of Compromise (IOCs) are examples of abnormal or malicious behavior reflecting the intrusion of an external user or program within internal organization networks. IOCs help network administrators map a threat actor’s attack route and determine the impact of the compromise. While users sometimes accidentally breach a protected system, security breaches often reflect a vulnerability requiring an incident response strategy and remediation.

Also read: Best Threat Intelligence Tools for 2022 | CIO Insight 

Examples of Indicators of Compromise (IOC)

  • Unusual types and volumes of inbound and outbound traffic
  • A high number of database queries or requests for the same file
  • Distributed Denial of Service (DDoS) attack behavior
  • Irregular access or traffic based on user geographic location
  • Anomalous or suspicious behavior by privileged user accounts
  • A large number of changes in device or directory profiles
  • Unexplainable files and new data appearing in system folders
  • Altered files, systems, registry, or DNS configurations
  • Log-in activity indicating malicious probing for access or a brute force attack
  • The identification of unusual port-application traffic
  • Unauthorized or mysterious patching of software and applications

How to Recognize Indicators of Compromise

Network administrators and SOC analysts can recognize indicators of compromise from a routine scan to deeper inspections and investigations. With tools for digital forensics and incident response (DFIR), threat intelligence, and advanced endpoint security, organizations have several security solutions available to help in this effort.

Endpoint security and threat intelligence are foundational tools needed to detect potential threats and protect against malware. At the same time, DFIR is increasingly necessary to spot malicious behavior, investigate security incidents, and remediate vulnerabilities or breaches.

Read more: Top Endpoint Detection & Response (EDR) Solutions for 2022 | eSecurity Planet

How to Respond to IoC

When network administrators discover indicators of compromise, it’s essential to investigate further and remediate any existing vulnerabilities that could lead to another breach. Closing security gaps granting unauthorized access to critical systems should be the priority. Secondary, but also important, is determining what impact the security event had, if any, on the broader business, specific systems, applications, or users. 

Indicators of Compromise vs. Indicators of Attack

Indicators of compromise (IOCs) and indicators of attack (IOAs) describe different aspects of detecting, identifying, and responding to a potential attack. Together, both are examples of indicators of intelligence.

Indicators of Compromise (IOC)Indicator of Attacks (IOA)
IndicatorPost-attack detectionReal-time attack detection
ToolsDFIRThreat Intelligence, EDR, UEBA
ExamplesVulnerabilities, malware, exploits, signatures, IP addressesRemote code execution (RCE), lateral movement, C2C

While IOCs offer visibility and context in light of a security attack, IOAs are a part of a growing demand for advanced threat intelligence and real-time insight into advanced persistent threats (APT).

Recent Coverage