Skip to main content
HashnodeEwaldo Simon Hiras's Blog

Command Palette

Search for a command to run...

What Are Indicators of Compromise (IOCs) and Why Do They Matter?

Updated
2 min read
What Are Indicators of Compromise (IOCs) and Why Do They Matter?
E
Ewaldo Simon Hiras

This article is an excerpt from my piece originally published on cdef.id. You can read the full article here.

Indicators of Compromise (IOCs) are simply evidence that a cyber intrusion has occurred. They are the digital breadcrumbs left behind by attackers, helping security teams detect and respond to breaches.

Common examples of IOCs include:

  • IP addresses used by attackers.

  • Hash values of malicious files.

  • Domain names used for command and control.

Types of IOCs

There are numerous types of IOCs depends how you cut the cake, but these are the common ones:

  • Atomic IoCs: Basic, indivisible elements like IP addresses, filenames, or domain names.

  • Composite Detection: A detection rule that is triggered by the culmination of two or more pre-defined atomic detections or events happening in a specific order, within a defined timeframe, or involving the same entity

  • Computed IoCs: Derived from data, such as hash values or regular expressions.

  • Behavioral IoCs: Sequences of actions that describe an attacker's Tactics, Techniques, and Procedures (TTPs), like a specific series of API calls.

The "Pyramid of Pain" illustrates that the more difficult an IOC is for an attacker to change (e.g., their TTPs vs. a file hash), the more "pain" it causes them when detected.

Cloud IOCs: New Challenges

With the growth of cloud computing, new types of IOCs have emerged, specific to cloud environments.

  • Atomic Cloud IOCs can include AWS IAM names, security group names, or cloud account IDs used by attackers.

  • Behavioral Cloud IOCs often involve suspicious sequences of cloud API calls, like manipulating CloudTrail logs or backdooring AMIs.

Developing Effective Detections

When using IOCs to develop security detections, consider:

  • Context: Understand how the IOC fits into the broader attack to accurately identify relevant data sources.

  • Cost: Balance the resources required for detection (e.g., analyst time, compute power) with the value of the alert.

  • Performance: Aim for broad coverage of attacker techniques and durable detections that are harder for attackers to evade.

  • Timeliness: Share and act on IOCs quickly, especially new ones, to maximize their defensive value.

  • Documentation: Maintain clear records of your detections, alerts, and their organization for better maintenance and team collaboration.

By focusing on these aspects, organizations can effectively leverage IOCs to enhance their cybersecurity posture.

#cloud-ioc#dfir#ioc#defense

More from this blog

E

Ewaldo Simon Hiras's Blog

35 posts

Talks about infosec🧑‍💻, mainly focusing on digital forensics and incident response; detection engineering; SOC stuff and occasionally random stuff 🍩🕹️.