What Are Indicators of Compromise (IOCs) and Why Do They Matter?

Ewaldo Simon HirasEwaldo Simon Hiras
2 min read

This article is an excerpt from my piece originally published on cdef.id. You can read the full article here.

Indicators of Compromise (IOCs) are simply evidence that a cyber intrusion has occurred. They are the digital breadcrumbs left behind by attackers, helping security teams detect and respond to breaches.

Common examples of IOCs include:

  • IP addresses used by attackers.

  • Hash values of malicious files.

  • Domain names used for command and control.

Types of IOCs

IOCs are often categorized into three types:

  • Atomic IoCs: Basic, indivisible elements like IP addresses, filenames, or domain names.

  • Computed IoCs: Derived from data, such as hash values or regular expressions.

  • Behavioral IoCs: Sequences of actions that describe an attacker's Tactics, Techniques, and Procedures (TTPs), like a specific series of API calls.

The "Pyramid of Pain" illustrates that the more difficult an IOC is for an attacker to change (e.g., their TTPs vs. a file hash), the more "pain" it causes them when detected.

Cloud IOCs: New Challenges

With the growth of cloud computing, new types of IOCs have emerged, specific to cloud environments.

  • Atomic Cloud IOCs can include AWS IAM names, security group names, or cloud account IDs used by attackers.

  • Behavioral Cloud IOCs often involve suspicious sequences of cloud API calls, like manipulating CloudTrail logs or backdooring AMIs.

Developing Effective Detections

When using IOCs to develop security detections, consider:

  • Context: Understand how the IOC fits into the broader attack to accurately identify relevant data sources.

  • Cost: Balance the resources required for detection (e.g., analyst time, compute power) with the value of the alert.

  • Performance: Aim for broad coverage of attacker techniques and durable detections that are harder for attackers to evade.

  • Timeliness: Share and act on IOCs quickly, especially new ones, to maximize their defensive value.

  • Documentation: Maintain clear records of your detections, alerts, and their organization for better maintenance and team collaboration.

By focusing on these aspects, organizations can effectively leverage IOCs to enhance their cybersecurity posture.

0
Subscribe to my newsletter

Read articles from Ewaldo Simon Hiras directly inside your inbox. Subscribe to the newsletter, and don't miss out.

cloud iocDFIRiocdefense

Written by

Ewaldo Simon Hiras
Ewaldo Simon Hiras

I am a digital forensic and incident response professional with interest in various topic of information security. I enjoy leisure running ๐Ÿƒโ€โ™‚๏ธ and PC games.