Indicators of Compromise (IOCs)

Indicators of compromise (IOCs) are often considered to be "digital breadcrumbs". They consist of evidence that shows a cyberattack is underway. Additionally, IOCs can provide insights into the tools used during a cyberattack, who's behind the attack, and more. 

What are Indicators of Compromise?

Security teams use indicators of compromise to look for malicious activity or threats. These indicators can be incorporated into your business' cybersecurity monitoring. They can help you stop a cyberattack that's in progress. Plus, you can use IOCs to find ways to detect and stop ransomware, malware, and other cyberthreats before they cause data breaches.

How do Indicators of Compromise Work?

When a cybercriminal attacks your company, the criminal leaves a digital footprint. For example, your security team may see cybercriminal activity in your system and log files after a cyberattack. At this point, your team can gather digital forensics data from these systems and files. From here, your team can determine if a cyberattack or data breach is in progress or has already happened.

Your security team can look for indicators of compromise across your IT infrastructure. Or, you can hire a managed security service provider (MSSP) that searches for IOCs on your behalf. In either scenario, advanced technology and tools can be used to scan and analyze your network traffic and other sources for IOCs. If any suspicious activity is identified, it can be isolated accordingly.

Types of Indicators of Compromise


Network IOCs include unusual traffic patterns, connections to malicious IP addresses or domains, or other signs of suspicious activity on a network. Intrusion detection systems (IDS), security information and event management (SIEM) systems, and other network monitoring tools can be used to detect these IOCs.


These include unusual file activity, changes to system configuration settings, and other suspicious activity on a computer or system. Your business can detect host-based IOCs with endpoint Detection and Response (EDR), extended detection and response (XDR), and other endpoint security solutions.


File-based indicators of compromise suggest malicious system files or malware. Examples of file-based IOCs include suspicious hashes, filenames, and file paths. EDR and sandboxing tools are commonly used to detect file-based IOCs.


Behavioral indicators of compromise such as multiple failed login attempts or unusual login times indicate suspicious user activity on a system or network. User monitoring tools like user and entity behavior analytics (UEBA) solutions can be used to identify behavioral IOCs.

Examples of Indicators of Compromise

  • A spike or slowdown in network traffic or other unusual outbound network traffic activity
  • Escalation of user-access privileges for a specific account, use of an account to access others that provide the user with additional privileges, or other privileged user account anomalies
  • Account logins that come from outside the country where your business is located
  • Multiple failed login attempts on a single account
  • Multiple requests for access to a single file
  • Use of a network port that was previously not in use
  • Unauthorized changes to your registry or system files
  • Domain name system (DNS) requests that occur suddenly and without notice

Lifecycle of Indicators of Compromise

1. Discovery

Your business can discover indicators of compromise by:

  • Looking through system logs.
  • Analyzing network traffic.
  • Performing security scans.
  • Getting security alerts from devices and software.

2. Assessment

There are many tools and technologies that you can use to learn about a potential threat, including:

  • Network traffic analysis
  • Malware analysis
  • System analysis
  • Threat intelligence

3. Sharing

Once you have IOCs, you can share them with your employees, law enforcement agencies, or other businesses in your industry. When you do, you can:

  • Find new ways to guard against threats.
  • Identify cyberattack trends and patterns.
  • Speed up incident response and remediation.

4. Deployment

At this point, you can deploy security controls to improve your cybersecurity posture. It is beneficial to establish multiple layers of controls so you can optimize your cyber protection.

5. Detection and Response

You can utilize multiple tools and techniques to watch for IOCs. If an IOC is identified, you can:

  • Isolate the affected system or network to prevent the threat from spreading.
  • Block suspicious network traffic, quarantine infected systems, or take other steps to address the threat.
  • Notify relevant stakeholders about the incident and what's being done to address it.

6. End of Life (EOL)

An IOC reaches the EOL stage when you have successfully mitigated it. Factors that can cause an IOC to no longer be relevant include:

  • Technology changes: An IOC can become outdated due to the fact that certain technologies are not being used anymore.
  • Evolving threat landscape: The threats you face can change as the cyberthreat landscape continues to change.
  • Security enhancements: IOCs can become redundant or unnecessary after you invest in state-of-the-art security tools or technologies.      

What is an Indicator of Attack (IOA)?

An indicator of attack (IOA) refers to evidence that shows a cybercriminal intends to attack your business. To understand how an IOA works, let's consider an example.

With phishing attacks, cybercriminals attempt to get a target to click on a link or open a document that infects their device. They must find potential targets and consider how they can get their attention. Also, they must execute several steps to get victims to download malicious software.

IOAs emphasize the steps that cybercriminals will take to launch attacks. By keeping an eye out for these steps, your business can close security gaps. Most importantly, you can stop cyberattacks in their early stages or before they occur.

Examples of Indicators of Attack

  • Communication between public servers that don't typically communicate with each other
  • Communication between internal hosts with recipients outside the country where your company operates
  • Connections to non-standard ports
  • Malware that crops up within a few minutes of it being removed from an infected device
  • User login that comes from multiple regions

Difference Between Indicators of Compromise and Indicators of Attack

Indicators of compromise are evidence that show a cyberattack is currently happening or has already occurred. As soon as a cybercriminal attacks your business, you can detect IOCs. These indicators can help you analyze the impact of an attack. 

Comparatively, indicators of attack are evidence that show you could suffer a cyberattack soon.  You can detect IOAs before a cyberattack or data breach. If you handle IOAs properly, you may be able to avoid data breaches.

Benefits of Monitoring for Indicators of Compromise

Monitoring for IOCs helps you quickly identify and respond to security incidents. If left unaddressed, these incidents can disrupt your business, its employees, and its customers. These incidents can damage your brand reputation and bottom line. They can also compromise your business' sensitive data and lead to regulatory violations and penalties.

Challenges of Monitoring for Indicators of Compromise

Looking for IOCs is reactive — not proactive. Your business has to wait for a cyberthreat to pop up across your IT infrastructure before there's an IOC for it. If you want to be proactive about cyber protection, your organization can invest in more robust cybersecurity prevention products and services. In doing so, you can utilize IOCs to supplement your overall cybersecurity strategy. 

IOC Management Best Practices

  • Establish identity and access management (IAM) controls so you can quickly and easily identify who has access to your data, systems, and networks.
  • Segment your networks — that way, if a cybercriminal infiltrates one of your networks, you can reduce the risk that this criminal can compromise all of them.
  • Use threat intelligence to stay up to date on the cyberthreat landscape, track current and emerging threats, and find the best ways to guard against them.
  • Utilize managed detection and response (MDR), EDR, XDR, threat intelligence platforms, and other security tools and technologies to manage IOCs.
  • Automate indicators of compromise analysis and correlation so you can prioritize the most-pressing IOC alerts based on severity and respond to critical threats right away.
  • Establish an incident response plan that allows you to leverage IOCs to review the severity of an incident and remediate it as quickly and efficiently as possible.
  • Partner with an MSSP that can analyze your cybersecurity posture, identify gaps, and help you figure out the best ways to address security vulnerabilities now and in the future.
  • Share IOCs with industry partners, so you can work with industry peers to address cyberthreats across your sector.
  • Review IOCs regularly and create a retention policy based on your industry's regulatory requirements and your company's needs.

Teach your employees about IOCs, what they are, how they work, and what they can do to protect against cyberthreats.