You should block known indicators of compromise. Indicators of Compromise (IOC) are pieces of contextual information that is used to alert past/ongoing cyberattacks, network breaches, or malware infections.[^1] These are typically artifacts, or digital footprints that some malicious activity has occurred.[^1] Some common IOCs involve malicious IP addresses, URLs, Domains, or Hashes.[^1] IOCs lack the context to be able to secure a breach on their own.[^1] Another IOC is a change in network traffic, or identity and management anomalies.[^1]
IOCs may include known bad IP addresses, malicious hash values, Domains, network artifacts, multiple failed logins, etc.[^1] Proper IOC identification can stop late-stage attacks.[^1] IOC monitoring can also be used to create automated response plans to prevent cybersecurity teams from becoming overloaded. These can include Unusual network traffic, geographic irregularities, unknown applications, unusual activity from admin or privileged accounts. Uptick in failed logins, Increased database read volume, large numbers of requests for the same file, unusual registry or DNS configuration changes, and compressed files or data bundles in unusual locations.[^2] Indicators of Compromise are used to determine if a cyber incident occurred.[^3] IOC are tools for research and investigations. They should fill in knowledge gaps in an intrusion analysis. They can be used to tie what you observe to what other people observed. Indicators of Compromise expire very quickly and can be specific to the victims.
[[Identifying IOCs]]
[[Indicators of Attack]] – similar
[[Antivirus Software]] – is deigned to detect IOC
[[Cyber Threat Hunting]] – threat hunters look for indicators of compromise
Backlinks
[[Cybersecurity]]
DNS
[[Hash Function]]
IP Addresses
Sources
[1] “What are Indicators of Compromise (IOCs)? | Rapid7.” Accessed: Jan. 01, 2025. [Online]. Available: https://www.rapid7.com/fundamentals/indicators-of-compromise-iocs/#
[2] “Indicators of Compromise (IOC) Security,” CrowdStrike.com. Accessed: Jan. 01, 2025. [Online]. Available: https://www.crowdstrike.com/en-us/cybersecurity-101/threat-intelligence/indicators-of-compromise-ioc/
[3]CyberwireDaily