Indicator of Compromise

An Indicator of Compromise (IoC) is a piece of evidence that suggests a system or network has been compromised. IoCs help security teams detect, investigate, and respond to potential cyber threats by identifying malicious activity or behaviour within an environment.

IoCs can take many forms, including file Hashes of known Malware, suspicious IP addresses, domain names used for command-and-control (C2) servers, unusual network traffic patterns, or changes to system configurations. Security professionals use IoCs to pinpoint potential incidents, correlate events, and understand the extent of a compromise, enabling faster and more accurate responses.

The purpose of identifying and tracking IoCs is to detect signs of compromise at an early stage, prevent further damage, and understand the nature and scope of attacks. IoCs provide actionable intelligence for security operations teams, enabling them to isolate infected systems, mitigate attacks, and prevent future incidents by identifying emerging threats.

IoCs are detected through various methods, such as log analysis, network traffic monitoring, Intrusion Detection Systems (IDS), and Threat Intelligence feeds. Once detected, IoCs are used to investigate incidents and take appropriate actions, such as isolating affected systems or updating security rules. IoCs are often shared within the cybersecurity community to improve collective defences.

Examples of IoCs include a known malicious IP address that frequently communicates with internal hosts, a file Hash matching a previously identified piece of Malware, or an unusual spike in network traffic that indicates potential data exfiltration. Other examples include unexpected changes to system files or the presence of unauthorised software.

One challenge with IoCs is their reactive nature, as they often indicate compromise after an event has occurred. They may also produce false positives, requiring careful analysis to distinguish between legitimate and malicious activity. To improve detection, organisations use IoCs alongside behavioural analysis and machine learning techniques to detect anomalies and emerging threats.