Indicators of Compromise

When a system administrator finds anomalous or malicious behavior within network traffic, evidence could show it is an indicator of compromise (IOC) showing potential intrusion or cyber attack.

Indicators of compromise (IOCs) is a term used in the cybersecurity industry to describe the breadcrumbs left behind by threat actors following a security event. These pieces of forensic evidence offer stakeholders visibility into how a breach took place, the result of the breach, and more.

What are Indicators of Compromise (IOCs)?

Indicators of Compromise (IOCs) are examples of abnormal or malicious behavior reflecting the intrusion of an external user or program within internal organization networks. IOCs help network administrators map a threat actor’s attack route and determine the impact of the compromise. While users sometimes accidentally breach a protected system, security breaches often reflect a vulnerability requiring an incident response strategy and remediation.

Also read: Best Threat Intelligence Tools for 2022 | CIO Insight 

Examples of Indicators of Compromise (IOC)

  • Unusual types and volumes of inbound and outbound traffic
  • A high number of database queries or requests for the same file
  • Distributed Denial of Service (DDoS) attack behavior
  • Irregular access or traffic based on user geographic location
  • Anomalous or suspicious behavior by privileged user accounts
  • A large number of changes in device or directory profiles
  • Unexplainable files and new data appearing in system folders
  • Altered files, systems, registry, or DNS configurations
  • Log-in activity indicating malicious probing for access or a brute force attack
  • The identification of unusual port-application traffic
  • Unauthorized or mysterious patching of software and applications

How to Recognize Indicators of Compromise

Network administrators and SOC analysts can recognize indicators of compromise from a routine scan to deeper inspections and investigations. With tools for digital forensics and incident response (DFIR), threat intelligence, and advanced endpoint security, organizations have several security solutions available to help in this effort.

Endpoint security and threat intelligence are foundational tools needed to detect potential threats and protect against malware. At the same time, DFIR is increasingly necessary to spot malicious behavior, investigate security incidents, and remediate vulnerabilities or breaches.

Read more: Top Endpoint Detection & Response (EDR) Solutions for 2022 | eSecurity Planet

How to Respond to IoC

When network administrators discover indicators of compromise, it’s essential to investigate further and remediate any existing vulnerabilities that could lead to another breach. Closing security gaps granting unauthorized access to critical systems should be the priority. Secondary, but also important, is determining what impact the security event had, if any, on the broader business, specific systems, applications, or users. 

Indicators of Compromise vs. Indicators of Attack

Indicators of compromise (IOCs) and indicators of attack (IOAs) describe different aspects of detecting, identifying, and responding to a potential attack. Together, both are examples of indicators of intelligence.

Indicators of Compromise (IOC)Indicator of Attacks (IOA)
IndicatorPost-attack detectionReal-time attack detection
ToolsDFIRThreat Intelligence, EDR, UEBA
ExamplesVulnerabilities, malware, exploits, signatures, IP addressesRemote code execution (RCE), lateral movement, C2C

While IOCs offer visibility and context in light of a security attack, IOAs are a part of a growing demand for advanced threat intelligence and real-time insight into advanced persistent threats (APT).

Recent Coverage

Sam Ingalls
Sam Ingalls
Sam Ingalls is an award-winning writer and researcher covering enterprise technology, cybersecurity, data centers, and IT trends, for eSecurity Planet, TechRepublic, ServerWatch, Webopedia, and Channel Insider.

Related Articles

@ Sign

Pronounced at sign or simply as at, this symbol is used in e-mail addressing to separate the user' name from the user's domain name,...


(MUHN-jing) Munging (address munging), is the act of altering an email address posted on a Web page to make it unreadable to bots and...

How to Create an RSS Feed

In the second installment of RSS how-to, we look at some of the nonrequired (optional) channel and item tags, discuss RSS specifications in-depth and...

Dictionary Attack

(n.) (1) A method used to break security systems, specifically password-based security systems, in which the attacker systematically tests all possible passwords beginning with...


ScalaHosting is a leading managed hosting provider that offers secure, scalable, and affordable...


Human resources information system (HRIS) solutions help businesses manage multiple facets of their...

Best Managed Service Providers...

In today's business world, managed services are more critical than ever. They can...