Optiv Cybersecurity Dictionary

What is an Indicator of Compromise (IOC)?

Indicators of compromise (IOCs) are clues to compromise (pieces of forensic data, system log entries or files) that can be considered unusual and may identify potentially malicious activity on a system or network.

 

Virus signatures and IP addresses, MD5 hashes of malware files or URLs, or domain names of botnet command and control servers are some classic IOCs. Some include unusual outbound network traffic, anomalies in privileged user account activity, and others log in red flags (to accounts that don't exist, or after hours), swells in database read volume, HTML response sizes (if SQL injection is used to extract data), large numbers of requests for the same file (indicating trial and error), mismatched port-application traffic (unusual ports), suspicious registry or system file changes, DNS request anomalies (large spikes), and geographical irregularities.


Contact Us