Indicators of Compromise (IOC) — Observable Evidence of Malicious Activity
Indicators of Compromise (IOCs) are observable artifacts that suggest a system may have been breached. This SECMONS glossary entry explains what IOCs are, common IOC types, how they are used in detection and threat intelligence, and their limitations in modern defense.
What Are Indicators of Compromise (IOCs)? 🧠
Indicators of Compromise (IOCs) are forensic artifacts or observable data points that indicate a system, network, or account may have been involved in malicious activity.
IOCs are commonly used in:
- Incident response investigations
- Threat intelligence reporting
- Malware analysis
- Detection engineering
- Security monitoring
They often appear in research published under /research/ and are tied to campaigns conducted by specific /glossary/threat-actor/ groups.
Common Types of IOCs 🔎
IOCs can include:
| Type | Example |
|---|---|
| File Hashes | SHA256 of malicious executable |
| IP Addresses | Known malicious C2 infrastructure |
| Domain Names | Phishing or malware delivery domains |
| URLs | Exploit kit landing pages |
| Registry Keys | Persistence-related entries |
| File Paths | Malware installation locations |
| Email Headers | Suspicious sender infrastructure |
Many IOCs are associated with stages such as:
How IOCs Are Used 🎯
Security teams use IOCs to:
- Detect known malicious activity
- Block known infrastructure
- Search historical logs for compromise
- Correlate incidents across environments
- Validate suspected breaches documented under /breaches/
When a vulnerability listed under /vulnerabilities/ is confirmed as /glossary/exploited-in-the-wild/, IOCs often emerge shortly after public reporting.
IOC vs TTP 🔄
| Concept | Focus |
|---|---|
| IOC | Specific observable artifact |
| TTP (Tactics, Techniques, Procedures) | Behavioral patterns |
| Signature | Detection rule |
| Exploit | Technical vulnerability abuse |
IOCs are concrete and actionable but may become obsolete quickly if attackers rotate infrastructure.
Limitations of IOC-Based Detection ⚠️
While useful, IOCs have constraints:
- Easily changed by attackers
- Reactive rather than proactive
- May not detect novel variants
- Require constant updates
- Often tied to known campaigns only
Modern detection strategies increasingly combine IOC matching with behavioral analysis and anomaly detection.
Defensive Considerations 🛡️
Effective IOC usage requires:
- Centralized log aggregation
- Automated threat intelligence feeds
- Continuous monitoring
- Historical log retention
- Rapid blocking capabilities
- Integration with SIEM and EDR platforms
Operational detection strategies are often documented under:
Why SECMONS Treats IOCs as Intelligence Building Blocks 📌
IOCs provide actionable visibility into real-world activity.
However, they must be interpreted within broader context — including threat actor profiling, campaign analysis, and vulnerability exploitation trends.
IOCs are indicators, not conclusions.
Authoritative References 📎
- MITRE ATT&CK Framework: https://attack.mitre.org/
- CISA Incident Response Resources: https://www.cisa.gov/