What are indicators of compromise?

Indicators of compromise (IOCs) refer to forensic data that signal potential security breaches or malicious activity within a system or network, such as specific file signatures, IP addresses, URLs or domain names.

Common IOCs include unusual outbound network traffic, altered system files and abnormal login patterns. IOCs help security teams identify suspicious behaviour and determine if a system has been compromised. By analysing these indicators, organisations can detect, respond to and mitigate cyberattacks, malware infections or unauthorised access.

How to identify indicators of compromise

Attackers often leave behind digital footprints in the system and log files of an organisation when it is compromised by a cyberattack. IOCs are identified through a combination of monitoring, analysing and correlating system behaviours and network traffic for signs of malicious activity.

Both automated tools and human analysis are used to identify IOCs. Tools like antivirus software employ signature-based detection to spot known malware patterns. Using anomaly detection, AI systems can flag unusual behaviours, such as irregular logins or data transfers.

Threat intelligence feeds can provide updated lists of known IOCs, such as malicious IPs or domains, which can be cross-referenced with internal system logs. Security teams can conduct log analysis, examining logs from firewalls and intrusion detection systems for signs of attacks. Analysts can also conduct manual investigations, reviewing system behaviour, files and network activity for signs of compromise.

Why organisations should monitor indicators of compromise

Monitoring IOCs is crucial for organisations to proactively detect and respond to cyber threats. It enables organisations to detect threats at an early stage, before they cause significant damage. Additionally, IOCs provide valuable threat intelligence, helping organisations understand the tactics, techniques and procedures (TTPs) used by attackers. This information can be used to improve security defences and prevent future attacks.

In the event of a compromise, IOCs can be used to identify the source of the attack and trace the attacker’s activities. This information is essential for effective incident response and remediation. In addition, many regulations and industry standards require organisations to monitor for IOCs as part of their cybersecurity compliance efforts.

Examples of indicators of compromise

Some common ‘indicator of compromise’ examples include:

  • Unusual network traffic – Abnormal spikes in network traffic or unusual connections to unknown IP addresses, which can be ransomware indicators of attack
  • Suspicious login activity – Failed login attempts, unusual login times or locations or unauthorised access to sensitive systems or data
  • Unusual account activity – Privilege escalation or unexpected use of administrative accounts.
  • Malware detection – The presence of malicious software on systems or networks
  • Data exfiltration – Unusual data transfers or downloads, especially of sensitive information.
  • System changes – Unauthorised changes to system configurations or settings
  • Abnormal resource usage – Unusual spikes in CPU, memory or network resource usage
  • Unusual email activity – Phishing emails, spam campaigns or unauthorised email account access
  • Unrecognised software – Installation of unauthorised or unknown applications on the system
  • Security alerts – Alerts from security systems or tools indicating potential threats

IOCs can vary widely depending on the type of attack and the specific target. Organisations often develop a list of specific IOCs that are relevant to their specific environment and monitor for these indicators on a regular basis.

Types of indicators of compromise

Different types of IOCs can be used to detect security breaches, including:

  • File-based IOCs – Suspicious files like malware, file hashes or unexpected changes in file properties (e.g., size, type)
  • Network-based IOCs – Abnormal network traffic, unusual communication patterns or connections to known malicious IP addresses and domains
  • Email-based IOCs – Phishing emails, suspicious attachments or spoofed sender addresses
  • Behavioural IOCs – Unusual or unauthorised user behaviour, such as unexpected logins or privilege escalation
  • Host-based IOCs – Changes in system configurations, unexpected processes or unauthorised modifications to registry entries, which can be indicators of compromise for ransomware
  • Application-based IOCs – Anomalies or irregularities within specific applications or software
  • Data-based IOCs – Unusual data transfers or downloads, data loss or changes to data ownership or access permissions

IOCs can overlap and vary depending on the specific attack and the target environment.

Indicators of compromise vs. indicators of attack

Indicators of compromise and indicators of attack (IOAs) focus on different aspects of a potential threat. IOCs reveal past attacks and are evidence that show a system has been breached or compromised.

Indicators of attack, on the other hand, focus on identifying malicious intent and behaviours as an attack is in progress. IOAs highlight tactics, techniques and procedures used by attackers, such as privilege escalation attempts, lateral movement or suspicious system changes. They help detect and prevent attacks before or during the intrusion.

In short, IOCs help detect attacks after they occur and guide incident response efforts, while IOAs help identify active or potential threats in real time.

How to respond to indicators of compromise

When an organisation detects an indicator of compromise, it should respond swiftly and methodically to contain the threat, investigate the incident and remediate any damage. Key steps in the response process include:

  • Investigate and confirm – Determine if the IOC is part of an actual breach. This may involve cross-referencing threat intelligence databases or performing deeper forensic analysis.
  • Isolate affected systems – Prevent further damage by isolating compromised devices or networks from the rest of the environment to stop the spread of malware or attackers
  • Contain and eliminate threat – Identify the source of the compromise and take action to remove malicious software, close vulnerabilities or block unauthorised access
  • Perform incident analysis – Conduct a root cause analysis to understand how the compromise occurred and whether additional systems are affected
  • Remediate and restore – Patch vulnerabilities, reconfigure security settings and restore systems from clean backups
  • Report and communicate – Notify relevant internal teams, stakeholders and possibly regulatory bodies about the breach and response steps
  • Strengthen defences – Review and update security policies, tools and processes to prevent similar incidents

By following these steps, organisations can respond effectively to IOCs and minimise the impact of a compromise.

FAQs

What are the indicators of compromise?

Indicators of compromise are signs that a system or network may have been breached by unauthorised activity. These can include unusual network traffic, unauthorised logins, changes to system files, unexpected configuration modifications or the presence of malware. IOCs help security teams identify potential threats and act before significant damage occurs.

What are the three types of IOCs?

The three main types of indicators of compromise (IOCs) are:
Network-based IOCs – These relate to abnormal network activity, such as unusual traffic patterns or unauthorised access attempts
Behavioural IOCs – These reflect suspicious activities or patterns, such as unusual login attempts, processes or system commands that deviate from normal behaviour
Host-based IOCs – These relate to indicators specific to individual systems or devices, such as malware detection or unusual process activity

What does IOC mean in cyber security?

In cybersecurity, IOC refers to evidence or signs that indicate a security breach or malicious activity on a network or system. IOCs help identify and respond to potential cyber threats by pointing out unusual or suspicious behaviour, files or network traffic.

What is the difference between indicators of compromise and indicators of attack?

Indicators of compromise are signs that a system has been breached or compromised, such as unusual files, network traffic or system logs. They help identify past malicious activity. Indicators of attack (IOAs) are signs of an active attack or ongoing malicious behaviour, like specific tactics or techniques used by attackers. IOAs focus on detecting and responding to current threats in real-time.

Indicators of compromise and Silobreaker

Silobreaker provides powerful intelligence and insights on security threats to safeguard your business from cyber, physical and geopolitical risks, whenever you need them. Beyond simply identifying IOCs, Silobreaker provides context and analysis, correlating IOCs with other relevant data points, such as threat actor profiles, campaigns and vulnerabilities, to deliver a more complete understanding of the threat landscape. This helps you prioritise IOCs based on their potential impact and risk level for your organisation, enabling you to focus on the most critical threats and allocate resources accordingly.

Silobreaker’s normalised IOC risk scoring presents a consistent and easy-to-understand method to evaluate IOCs, regardless of their source provider. Silobreaker generates a normalised score for IOCs based on risk assessments from various third-party sources like VirusTotal, Domain Tools, Threat Fox, URLhaus and Microsoft Defender Threat Intelligence (MDTI).

Additionally, Silobreaker’s MDTI enrichment enables users to leverage Microsoft’s vast repository of indicator data for domains, subdomains and IP addresses. It also provides quick summary information about the activity of these entities, including first and last-seen timestamps, domain information, a malicious score and a pivot to any corresponding MDTI reporting. With Silobreaker’s 360 Search, users can apply Microsoft Defender’srich reputation scoring against indicators of compromise like IP addresses and domains.

Find out more about how the Silobreaker Threat Intelligence Platform can empower your organisation to identify emerging threats and make intelligence-led decisions to safeguard the business from cyber, physical and geopolitical threats, mitigate risks and maximise business value.