In the field of computer security, an Indicator of compromise (IoC) is an object or activity that, observed on a network or on a device, indicates a high probability of unauthorized access to the system — in other words, that the system is compromised. Such indicators are used to detect malicious activity in its early stages as well as to prevent known threats.
Examples of indicators of compromise
The following may be indicators of compromise:
- Unusual DNS lookups,
- Suspicious files, applications, and processes,
- IP addresses and domains belonging to botnets or malware C&C servers,
- A significant number of accesses to one file,
- Suspicious activity on administrator or privileged user accounts,
- An unexpected software update,
- Data transfer over rarely used ports,
- Behavior on a website that is atypical for a human being,
- An attack signature or a file hash of a known piece of malware,
- Unusual size of HTML responses,
- Unauthorized modification of configuration files, registers, or device settings,
- A large number of unsuccessful login attempts.
Identifying and utilizing indicators of compromise
The course of threat analysis helps reveal which factors to associate with a specific threat — what the IoCs for the threat are. For example, if cyberintelligence detects some new malware, it reports IoCs such as file hashes, C&C addresses, and so on.
Later, those indicators of compromise will be used to hunt threats in an organization’s infrastructure. An IoC being detected on a system indicates the system is likely under cyberattack, requiring certain countermeasures.
Indicators of compromise are also added to the databases of passive monitoring tools and antivirus software, which can block intrusion attempts. For example, a security solution can use malware signatures to recognize malware and prevent it from running on a device.
IoCs from the point of view of the average user
Although the concept of indicators of compromise appears most commonly in the context of protecting corporate infrastructures, ordinary users may also encounter them. For example, many Internet services warn account holders about login attempts from an unusual device or from an IP address in another country. Users should take such messages seriously, check the information in them, and, if any of the actions listed look suspicious, promptly change their password.