Skip to main content
Introducing Polarity Intel Edition: Streamlining Intel Distribution for SecOps
Polarity Intel Edition
Request a Demo

Indicators of Compromise (IoC)

What are Indicators of Compromise (IoC)?

An Indicator of Compromise (IoC) is used to identify potential security breaches or malicious activities within computer systems, networks, or digital environments. IoCs serve as “red flags” that security analysts and systems can use to detect and respond to threats. They encompass various types of evidence, such as malicious files, network traffic patterns, unusual behaviors, or specific characteristics associated with cyberattacks. By monitoring and analyzing IoCs, security professionals can better safeguard their systems and data against cyber threats.

IoCs are categorized into different types:

  1. File-based: These involve specific files or hashes that are linked to malicious activities. For instance, a known malware file’s hash can be used as an IoC. If the same hash is detected on a system, it indicates a potential compromise.
  2. Network-based: These are patterns or signatures in network traffic that suggest malicious activities. An example is an IP address that is known to be associated with a command-and-control server used by cybercriminals.
  3. Behavioral: These are indicators based on unusual or unauthorized activities within a system. For example, multiple failed login attempts within a short time period might indicate a brute-force attack.
  4. Registry: These involve anomalies in the system registry, which could signify malicious changes made to the system configuration.
  5. Domain IoCs: Malicious domains or domain name patterns associated with phishing or malware distribution can be used as indicators.
  6. Email IoCs: Suspicious email addresses, subject lines, or attachments can be indicators of phishing attempts.

Examples of IoCs:

  • MD5 Hash: A unique string of characters generated from a file, such as a malicious executable. If the same MD5 hash is identified elsewhere, it suggests the presence of the same file.
  • IP Address: An IP address linked to a known malicious server. If a connection attempt to this IP address is detected, it might indicate communication with a malicious entity.
  • Domain Name: A domain associated with phishing or malware distribution, like “fakebank-login.com.”
  • File Path: A specific file path on a system that is typical of a certain malware variant.
  • Registry Key: Unusual changes in the system’s registry, like the addition of entries related to a specific malware.
  • Network Traffic Pattern: A unique pattern of data flow between a compromised host and a command-and-control server.