What is IOC in Cyber Security?

23.09.2019 Read
What is IOC in Cyber Security?

Indicator of compromise or IOC is a forensic term that refers to the evidence on a device that points out to a security breach. In this article, we discussed how IOC can be useful for your cyber security team.

What is an Indicator of Compromise?

Indicator of compromise or IOC is a forensic term that refers to the evidence on a device that points out to a security breach. The data of IOC is gathered after a suspicious incident, security event or unexpected call-outs from the network. Moreover, it is a common practice to check IOC data on a regular basis in order to detect unusual activities and vulnerabilities. With this practice, it is possible to develop smarter tools that are able to identify and isolate dubious files. Indicators of compromise can also serve as the pieces of information that allow the members of information security and IT teams to detect malignant activity on the network at a rather early stage. Thus, such activities can be ceased before they turn into actual attacks or a compromise, and threaten the whole network. On the other hand, it is not always easy to detect indicators of compromise as they vary in form. They can be logs, metadata, or complex strings of codes. That is why IT professionals and information security teams often try to place the piece of information within the context in order to make sense of it and identify deviations. Moreover, they bring numerous indicators together to find a correlation between them.

What are the Examples of Indicators of Compromise?

There are various indicators of compromise that your IT and information security teams should keep an eye on. Below you can find 15 most prominent indicators of compromise.

  • Anomalies found in Privileged User Activity
  • Red flags found in log-in activity
  • Deviant DNS requests
  • Web traffic with inhuman behavior
  • Unusual activity in outbound network traffic
  • Geographical abnormalities
  • Increased database read volume
  • Unusual HTML response sizes
  • Changes in mobile device profiles
  • Signs of DDoS activity
  • Wrongly placed data bundles
  • Conflicting port-application traffic
  • More requests than usual for the same file
  • Unusual changes in registry and/or system files
  • Abrupt patching of systems

What is the Difference Between Indicators of Compromise and Indicators of Attack?

Indicators of Compromise serve for the detection of security events and compromises whereas indicators of attack serve for the detection of the intent of attacker. In order to successfully contain and cease the attack, it is essential to know what the attacker is trying to accomplish. That is why indicators of attack are important. Indicators of compromise helps the IT professionals and cyber security teams to detect any intrusion but in order to stop that intrusion, your security teams need to know what the attacker is planning. Knowing the next step and intention of the attacker gives security team the upper hand. That is why data gathered by the indicators of compromise should be backed up by indicators of attack.

How Can Indicators of Compromise Be Used to Improve Detection and Response?

Keeping an eye on indicators of compromise allows organizations to perform better in detecting and responding security events. Gathering and correlating IOCs means that your security teams can identify any suspicious activity that could have gone undetected by other security tools. Moreover, with the data provided by indicators of compromise, your security team can make informed decisions faster and more accurately. As a result, they can act on the security issues faster –fast enough to contain them before they spread and cause an irreversible or harmful breach. In order to learn about the features of Logsign security intelligence solution, kindly click on the link below;

A vast library of integrations and free services on demand
See All Integrations
See Logsign Unified SO Platform in action!
Watch Demo