Skip to main content

Indicators of Compromise (IoCs)

Indicators of Compromise (IoCs) are specific data artifacts or other characteristics that indicate that a system has been compromised. They are usually grouped together in a list that can be read and completed by security software such as an antivirus program or firewall. Typical indicators include unusual network traffic, unexpectedly resource-intensive processes, or previously unknown registry entries.

Indicators of Compromise (IoCs) occur in these areas

Indicators of compromise of the IT system occur in the following areas:
[su_list icon=”icon: hand-o-right” icon_color=”#187bc0″ indent=”-5″]

  • Network
  • Logs
  • Files
  • Registry
  • User administration
  • Processes

In general, any unusual action is registered by the system and checked against the known list of Indicators of Compromise (IoCs) by the protection software in use. For example:

[su_list icon=”icon: commenting-o” icon_color=”#187bc0″ indent=”-5″]
  • Is there an unusual amount of traffic on the network between certain IP addresses and ports?
  • Do unusual DNS requests occur?
  • Are entries in the registry possibly conspicuous?
  • Are the activities of an administrator account unusual?
  • Have there been any unusual software updates?

Have the system automatically search for Indicators of Compromise (IoCs).

It is obvious that a system should ideally be able to automatically search for the corresponding indicators. For this purpose, special formats have been developed that are able to provide the corresponding information. The most widely used are OpenIOC and STIX. Modern virus scanners and firewalls can practically always handle these formats. In addition, a number of free tools are available that users can use to scan for the indicators. For example,“Loki” is popular as a corresponding tool.

Indicators of Compromise vs. Indicators of Attack

Indicators of compromise of a system are distinct from indicators of attack. The language is somewhat misleading at this point: Indicators of Compromise are more serious. In this case, the system may have already been compromised or successfully infiltrated by malware. The Indicators of Attack (IoAs), on the other hand, simply indicate that there may be an ongoing attempt to compromise the system. It is still possible to defend against the ongoing attack.

Frequently Asked Questions (FAQs) about Indicators of Compromise

How reliable are the indicators?

This varies. For example, high network traffic can also have harmless reasons, such as creating a backup. Unusual hash values, on the other hand, are a relatively reliable signal of compromise.

How often should you scan for indicators?

Ideally, you should have a scanner running in the background that checks for indicators at regular intervals. This should be done at least weekly. New data should be checked immediately in a standardized manner.

Further links

Do you have any more questions?

Please contact us

Further contents