IoCs become obsolete quickly. Attackers rotate infrastructure constantly. A known hash today may not be useful tomorrow.
What is indicator of compromise
Technical evidence that a system has been compromised, identifiable via logs, network traffic, system artefacts, or anomalous behaviour.
Why it matters
This concept is fundamental in corporate security management.
Key points
An isolated IoC is insufficient to confirm compromise. Correlation of multiple indicators and contextual analysis are necessary.
An IoC can match a system without indicating genuine compromise (legitimate matches, false positives from previous scans, etc.).
Network IoCs (IPs, domains), file IoCs (hashes, paths), process IoCs (names, PIDs), registry IoCs, and behavioural IoCs (network patterns, API calls) exist.
IoCs are reactive; Indicators of Attack (IoA) are proactive. Both are necessary for comprehensive defence.
Indicator of compromise example in the real world
An incident response team identifies that a server has been compromised. Through forensic analysis, they extract the following IoCs: The team shares these IoCs with their SIEM. Immediately, the tool searches all logs and finds that 7 additional servers have connections to IP 192.0.2.45, and 15 endpoints executed the malware hash. This enables escalation from "1 compromised server" to "potential compromise of 23 systems", enabling targeted investigation and correct remediation.
Common mistakes
- Sophisticated attackers know their IoCs will be published. They use anti-analysis and evasion techniques to frequently change hashes and addresses.
- An outdated IoC database provides false security. Old IoCs don't detect current threats.
- Finding an IoC is insufficient. Investigation of why it is present, when the system was infected, and what other indicators exist is necessary.
- Not all matching IoCs indicate compromise. Some may be residual caching or malware that was already remediated. Context is critical.
- Publishing only hashes without tactical/technical context (MITRE ATT&CK) reduces IoC utility for others.
Related services
This concept may be related to services such as:
Frequently asked questions
What types of IoCs exist?
The main types are: file hashes (MD5, SHA1, SHA256), IP addresses, domains and malicious URLs, modified registry keys, anomalous process or service names, network traffic patterns and file system artefacts.
What is the difference between an IoC and an IoA?
An IoC (indicator of compromise) is evidence that an attack has already occurred. An IoA (indicator of attack) detects suspicious behaviour in real time, before the compromise fully materialises. IoAs are harder to evade.
How are IoCs shared between organisations?
Through standards such as STIX/TAXII, platforms like MISP or OTX, commercial threat intelligence feeds and sector-specific communities (ISACs). Automation is key for timely distribution.
How long does an IoC remain valid?
It depends on the type. A malware hash may be valid for months, but a C2 IP address can change within hours. Teams must manage IoC expiry and prioritise the most recent and highest-confidence indicators.