// THREAT DETECTION AND DATA PRIVACY TERM

IOC

An Indicator of Compromise (IOC) is a piece of digital evidence that points to a potential security breach on a computer or network. It's like a digital footprint or clue left behind by a malicious attacker.

TECHNICAL DEFINITION

An Indicator of Compromise (IOC) is a forensic artifact or observable evidence in information security that signifies a potential computer intrusion or cyberattack. These threat intelligence data points, such as malicious IP addresses, file hashes (MD5, SHA256), anomalous network traffic, or specific registry keys, are used by security tools like SIEM and EDR for threat detection and incident response.

BACKGROUND

In information security, threat hunting is the process of proactively searching for threats against computer systems in order to protect them. This is in contrast to traditional threat management measures, such as firewalls, intrusion detection systems (IDS), malware sandbox and SIEM systems, which typically involve an investigation of evidence-based data after there has been a warning of a potential threat. Threat analyst Lesley Carhart stated that there is no consensus amongst practitioners what threat hunting actually entails.

READ MORE ON WIKIPEDIA

SYNONYMS & ALIASES

  • threat indicator
  • compromise artifact
  • security artifact
  • cyber observable
  • forensic data point
  • indicator of attack

USAGE NOTE

IOCs are primarily used reactively in threat hunting and incident response to identify security breaches that have already occurred.

DEVELOPERS

Organizations developing technology related to IOC.

  • CrowdStrike

    A leading endpoint security company whose Falcon platform uses Indicators of Compromise (IOCs) and Indicators of Attack (IOAs) for real-time threat detection, prevention, and response.

  • Palo Alto Networks

    Develops the Cortex XDR platform, which leverages threat intelligence and extensive IOC databases from its Unit 42 research team to detect and respond to threats across network, endpoint, and cloud environments.

  • Recorded Future

    A prominent threat intelligence company that aggregates and analyzes vast amounts of data to produce intelligence feeds rich with IOCs such as malicious IP addresses, domains, and file hashes.

  • Mandiant (Google Cloud)

    An incident response and threat intelligence firm that investigates major cyber breaches, generating high-fidelity IOCs from firsthand forensic analysis which are shared to protect other organizations.

  • Anomali

    Specializes in threat intelligence platforms (TIP) that help organizations aggregate IOCs from various sources and operationalize the intelligence for automated detection and response within their security infrastructure.

  • Splunk

    Provides a Security Information and Event Management (SIEM) platform used by security teams to ingest and analyze machine data, enabling them to hunt for and create alerts based on IOCs across their IT environment.

  • CISA (Cybersecurity and Infrastructure Security Agency)

    A U.S. federal agency that analyzes and shares timely cyber threat information, including validated IOCs, through public alerts and advisories to help organizations defend against malicious campaigns.

  • The MITRE Corporation

    A non-profit research organization that develops the STIX/TAXII standards for sharing threat intelligence and the ATT&CK framework, which provides vital context to IOCs by mapping them to adversary behaviors.

RELATED TERMS IN MILITARY & INTELLIGENCE