An indicator of compromise (IoC) indicates a high probability of unauthorized access to a system—in other words, that the system is compromised. Detecting malicious activity early and preventing known threats are both achieved with such indicators.

Here are some examples of compromise indicators

A compromise may be indicated by the following:

• Unusual DNS lookups,
• Suspicious files, applications, and processes,
• IP addresses and domains belonging to botnets or malware C&C servers,
• A significant number of accesses to one file,
• Suspicious activity on administrator or privileged user accounts,
• An unexpected software update,
• Data transfer over rarely used ports,
• Behavior on a website that is atypical for a human being,
• An attack signature or a file hash of a known piece of malware,
• The unusual size of HTML responses,
• Unauthorized modification of configuration files, registers, or device settings,
• A large number of unsuccessful login attempts.

Utilizing indicators of compromise to identify and prevent compromises

Threat analysis helps identify the IoCs for a specific threat — what factors to associate with it. Cyber intelligence, for instance, may report IoCs such as file hashes, C&C addresses, etc. when it detects new malware.

A company’s infrastructure will be monitored for indicators of compromise in the future. If an IoC is detected on a system, it is likely under cyberattack, which requires certain countermeasures.

These indicators are also added to databases of passive monitoring tools and antivirus software, which can block intrusion attempts.

Using malware signatures, a security solution can detect and prevent malware from running on a device.

Thanks for reading!