Indicators of compromise definition

Indicators of compromise (IOCs) are forensic data components that can detect data breaches and show users that some data compromises may exist on a network or an endpoint. They monitor network traffic, system logs, file hashes, IP addresses, and domain names, where hackers may leave a trace indicating a data breach. IOCs help security experts detect malicious activity on a system or network, such as suspicious data in system log entries or files. They discover malware, data breaches, and other threatening behavior. IOCs can range from basic metadata components to incredibly advanced malicious code and content snippets, making them hard to find. To discover a potential threat or incident, security analysts collect a IOCs and look for correlations among them.

See also: data breach, anti-phishing service

Indicators of compromise signs

• A large number of compressed files or data loads in incorrect locations.
• Strange activity like high spikes in a database.
• Abnormal activity from privileged or administrative accounts, like requests for more permissions.
• Changes in settings without the user’s approval.
• Unknown apps in the system.
• Increased number of failed login attempts.
• Strange DNS requests and settings in the registry.
• Unusual network traffic entering and leaving the system.
• Geographic abnormalities like traffic from regions where the business isn’t present.
• Changes in system files.

Further reading