Definition
An indicator of compromise (IoC) is forensic data, such as a file hash or system log entry, that suggests potential or confirmed malicious activity on a network or system.
IoCs prove that a cybersecurity breach has occurred or is currently in progress. They are used in forensics, incident response, and malware defense to understand the threat environment better and boost an organization’s defenses.
Examples of Indicators of Compromise
- Suspicious IP addresses: Communications with a known malicious IP address may suggest the system has been compromised.
- File hash: A distinct identifier assigned to a file flagged as malicious.
- Anomalous login activity: Several failed login attempts, especially at odd hours, could indicate suspicious activity.
Pros and Cons of Indicator of Compromise
Pros
- IoCS helps to detect potential threats early
- IoCs help to prevent further breaches by guiding security actions and responses
Cons
- Some IoCs can indicate false positives
- IoCs provide insights into known threats but might be ineffective against new or unknown attack methods