Understanding Indicators of Compromise
An Indicator of Compromise (IoC) is digital evidence that a system has been compromised. IoCs are specific artifacts, patterns, or signatures that indicate an attack has occurred or is occurring.
Types of IoCs
1. File-Based IoCs
- File hashes: MD5, SHA-256 of malicious files
- File paths: Locations where malware stored
- File names: Suspicious executable names
- File sizes: Unusual sizes for known files
Example: Malware file trojan.exe with hash abc123...
2. Network IoCs
- IP addresses: Attacker command-and-control servers
- Domain names: Malicious websites
- URLs: Specific phishing or malware download links
- Email addresses: Attacker contact addresses
- Ports: Unusual ports used for communications
Example: C2 server at 203.0.113.45:8080
3. Host-Based IoCs
- Registry keys: Modified Windows registry entries
- Files created/deleted: Temporary malware files
- Process names: Suspicious processes executing
- DLLs loaded: Injected malicious libraries
- Scheduled tasks: Persistence mechanisms
Example: New scheduled task running malware every hour
4. Behavioral IoCs
- Network connections: Suspicious outbound traffic
- File system changes: Mass encryption (ransomware)
- System calls: Suspicious API calls
- Memory artifacts: Code injection patterns
- Login attempts: Brute force attacks
Example: Process accessing thousands of files in seconds
Using IoCs for Detection
Incident Investigation Workflow
- Detect incident: Malware discovered
- Extract IoCs: Hash, file path, domains, IPs
- Search systems: Look for these IoCs across infrastructure
- Identify systems: Which systems contain these IoCs?
- Investigate further: What else did attacker do?
- Incident response: Isolate, remediate, recover
- Improve defenses: Block these IoCs going forward
IoC Search Example
Scenario: Ransomware detected on one machine
IoCs extracted:
- File hash: 5a7f6b8d9c2e1f4a...
- File path: C:\AppData\Roaming\malware.exe
- C2 domain: malicious-domain.com
- Process name: svchost.exe (running from AppData)
Search across infrastructure:
- Find all systems with this hash
- Find all systems contacting that domain
- Find all systems with this process behavior
- Identify all compromised systems
Common IoC Sources
Threat Intelligence:
- CISA alerts
- Vendor threat reports
- Dark web monitoring
- Security research
- Law enforcement tips
Internal Detection:
- Antivirus detections
- EDR alerts
- Network monitoring
- Forensic analysis
- User reports
IoC Management
Best practices:
- Centralize IoC collection
- Share with team
- Automate detection rules
- Regular updates
- Archive historical IoCs
Tools:
- MISP (Malware Information Sharing Platform)
- OpenIOC
- TAXII (threat intelligence sharing)
- Commercial threat intel platforms
Conclusion
IoCs are digital fingerprints of attacks. By systematically collecting, managing, and searching for IoCs, organizations can quickly identify compromised systems, contain incidents, and improve defenses.
