Indicator of Compromise (IoC) is, as the name suggests, digital clues that may indicate that a system has been compromised. There are a number of specific IoCs that security experts look out for. We will come back to them.
The definition of an IoC
Indicators of Compromise are specific digital clues that help security specialists identify potential malicious activity in a system or on a network. In this way, IoCs can help IT security professionals detect data breaches, malware and other threats so they can respond to them quickly.
Monitoring potential IoCs can thus be used as a preventive security measure, helping organisations to prevent attacks or reduce the cost of attacks by detecting and stopping them at an early stage.
IoCs can be seen as 'red flags' that can detect an impending attack that could cause a data breach, for example.
This may sound simple enough, but in reality IoCs are not always easy to identify. Often, it takes security experts to identify multiple IoCs and make a connection between them to be able to deduce a potential threat from them.
This also means that the work of monitoring and identifying IoCs is done at the professional infosec level, where IT security professionals use advanced technology to scan and analyse huge amounts of data. The most effective approach is thus to combine advanced technology with human resources.
What is an Indicator of Attack?
A concept related to IoC is the Indicator of Attack (IoA). But where IoC refers to clues that indicate that the system has already been compromised, Indicators of Attack focus on indications of an attack while the attack is ongoing.
In other words, IoCs try to understand what happened, while IoAs try to understand what is happening right now and why.
It also means that you need to keep an eye on both IoCs and IoAs if you want the most proactive approach to detecting and identifying potential threats in real time.
Examples of IoCs
Examples of Indicators of Compromise that IT security experts watch out for include:
- Unusual traffic on the network
- Unknown files and applications on the system
- Suspicious activity on administrator accounts
- Irregular activity, including traffic at geographic locations to which the organization has no relationship
- Numerous login attempts, which may indicate brute force
- Unknown changes to system settings
- Data inexplicably found in places it should not be
- Large number of requests for the same file
- Unusual DNS requests
- Traffic from specific IP addresses, e.g. of known threat actors
The list is not exhaustive, but provides a broad insight into the digital clues that security teams are watching for, among other things.
There are different approaches, and IoCs can thus be collected manually and continuously as they are detected, or in a more systematic way.
Why you should monitor IoCs
Targeting IoCs is an important tool if an organisation wants to improve its threat preparedness. By identifying IoCs and being able to correlate them, you will be able to more quickly identify security incidents, respond to them and close security gaps, which would not have been as effective and quick otherwise. The earlier you detect an attack, the more you can reduce its potential cost.
Using IoCs, security teams can detect recurring patterns and therefore act on them, increasing security accordingly by implementing relevant security tools and updating current security policies. In this way, IoCs can help protect against future attacks and security breaches.
Disadvantages of IoCs
Monitoring IoCs is reactive in nature, meaning that by the time an organisation discovers an IoC, security has already been compromised in most cases.
In addition, cybercriminals and their methods are constantly evolving and, as technology advances, becoming more sophisticated. Therefore, IoCs may also become harder and harder to spot and identify as cybercriminals become better at covering their tracks.
Working to monitor IoCs has both advantages and disadvantages. But most importantly, the focal point is to increase security, and this kind of work is never wasted as long as IoCs are identified effectively and used to patch security holes and catch attacks in early stages so that costs can be reduced.
IoCs provide important insight into the methods and techniques of cyber criminals, which is also knowledge that can be used preventively in an organisation.
Last but not least, monitoring of IoCs in combination with monitoring of IoAs and, for example, awareness training help to highlight possible threats, which increases the overall cyber hygiene of an organisation.
Emilie Hartmann is a student and copywriter at Moxso, where she is a language nerd and always on the lookout for new and exciting topics to write about. She is currently doing her Master's in English, where she is primarily working in the fields of Creative Writing and Digital Humanities.