​​

 

Indicators of Compromise (IOCs) are pieces of forensic evidence that signal a potential or actual security breach within an organisation's network or systems. They serve as the digital fingerprints left behind by malicious actors, helping security teams detect, investigate, and respond to cyber attacks. SOC analysts and incident responders rely heavily on IOCs to identify the presence of malware, breaches, or unauthorised activities that might otherwise go unnoticed.

​

Types of IOCs:

​

1- File Hashes: File hashes (e.g., MD5, SHA-256) are unique cryptographic values generated from the contents of a file. Malicious software, such as malware or ransomware, often has distinctive hashes. By comparing the hash of a file in the system with known malicious hashes in threat databases, SOC analysts can quickly determine whether the file poses a risk.

​

Example: The hash of a known ransomware variant could be detected within an organisation’s system, signalling an infection.

​

2 - IP Addresses: Suspicious or known malicious IP addresses can be IOCs. Attackers often use specific IP ranges to communicate with compromised systems or to exfiltrate data. Monitoring network traffic for connections to these IPs can indicate a potential compromise.

​

Example: A system connecting to an IP address flagged in threat intelligence reports for being part of a command-and-control (C2) infrastructure might suggest a malware infection.

​

3 - Domain Names: Malicious domains are often used by attackers for phishing attacks or to deliver malware. IOCs can include known bad domains that are associated with threat actors.

​

Example: An employee receives an email from a domain that mimics a legitimate service but has been flagged as malicious due to its use in phishing campaigns.

​

4 - File Names: Attackers may use specific file names for their malware payloads. While file names alone are not always reliable, when combined with other IOCs, they can help identify compromised systems.

​

Example: The presence of a file named "invoice.exe" in an email attachment could be flagged if it matches a common tactic used in spear-phishing attacks.

​

5 - Registry Changes: Malicious software often makes changes to system registries to maintain persistence. Unusual registry modifications can be a strong indicator of compromise, especially if they match known attack patterns.

​

Example: A new registry key that is known to be associated with malware persistence might be identified during threat hunting.

​

6 - Unusual Network Traffic: Abnormal spikes in network traffic or communications with foreign or untrusted locations can be indicative of an attack in progress, such as data exfiltration.

​

Example: Large outbound data transfers to an unfamiliar foreign server could suggest a data breach or unauthorised data exfiltration.

​

7 - Unusual User Activity: Compromised credentials often lead to abnormal user behaviour, such as login attempts from foreign locations, accessing sensitive data outside of business hours, or rapid data downloads.

​

Example: A user logging in from two geographically distant locations within a short period could indicate account compromise.

​

​

Importance of IOCs:

​

IOCs are crucial for early detection of security incidents, enabling SOC teams to identify and mitigate threats before they cause significant damage. By correlating multiple IOCs, analysts can gain a clearer picture of the scope and severity of an attack. Automated tools like SIEM systems and threat intelligence feeds use IOCs to generate alerts when suspicious activities are detected, empowering organisations to stay one step ahead of attackers.

​

 IOCs form a critical part of any security strategy, helping to pinpoint signs of compromise and enabling swift and effective incident response