// THREAT DETECTION AND DATA PRIVACY TERM

Indicator

An indicator is a piece of evidence on a computer or network that points to a potential security breach. It's like a digital footprint or clue suggesting malicious activity has occurred or is underway.

TECHNICAL DEFINITION

An indicator, often an Indicator of Compromise (IoC) or Indicator of Attack (IoA), is a technical artifact or observable event in an information system used by threat intelligence platforms and security information and event management (SIEM) systems to detect malicious activity. These observables include entities like file hashes (MD5, SHA256), malicious IP addresses, anomalous registry key changes, or specific network traffic patterns identified during forensic analysis or threat hunting.

BACKGROUND

In information security, threat hunting is the process of proactively searching for threats against computer systems in order to protect them. This is in contrast to traditional threat management measures, such as firewalls, intrusion detection systems (IDS), malware sandbox and SIEM systems, which typically involve an investigation of evidence-based data after there has been a warning of a potential threat. Threat analyst Lesley Carhart stated that there is no consensus amongst practitioners what threat hunting actually entails.

READ MORE ON WIKIPEDIA

SYNONYMS & ALIASES

  • Indicator of Compromise
  • IoC
  • Indicator of Attack
  • IoA
  • Threat Artifact
  • Cyber Observable
  • Signature

USAGE NOTE

Indicators are fundamental data points used in threat intelligence feeds and detection rules to identify and respond to security incidents.

DEVELOPERS

Organizations developing technology related to Indicator.

  • Mandiant (Google Cloud)

    A leading incident response and threat intelligence company that identifies, analyzes, and disseminates Indicators of Compromise (IOCs) discovered during investigations. Their Mandiant Advantage platform provides threat intelligence based on these indicators.

  • CrowdStrike

    Develops the Falcon platform, an endpoint security solution that heavily utilizes both Indicators of Compromise (IOCs) and behavioral Indicators of Attack (IOAs) for real-time threat detection and prevention.

  • Recorded Future

    An intelligence company that provides a platform for collecting, processing, and analyzing vast amounts of data from the internet. It delivers context-rich indicators and threat intelligence to help organizations proactively block threats.

  • Palo Alto Networks

    Through its Unit 42 threat research team and Cortex XDR platform, the company identifies and correlates indicators across network, endpoint, and cloud environments to detect sophisticated attacks.

  • Anomali

    Provides a Threat Intelligence Platform (TIP) that enables organizations to aggregate indicator feeds from numerous sources, enrich the data, and integrate it with security controls for automated threat detection and response.

  • The MITRE Corporation

    A non-profit organization that develops key technologies and standards for the cybersecurity community, including STIX (a language for expressing threat indicators) and TAXII (a protocol for sharing them). Their ATT&CK framework provides context for behavioral indicators.

  • Splunk

    Offers a security information and event management (SIEM) platform used by organizations to ingest threat intelligence feeds containing indicators. The platform correlates these indicators against internal log and event data to identify security threats.

  • ThreatQuotient

    Develops a threat intelligence platform (TIP) and security operations platform designed to help teams manage, understand, and act upon threat data, including technical indicators like IP addresses, domains, and file hashes.

RELATED TERMS IN INCIDENT RESPONSE