IOC — Indicator of Compromise

An Indicator of Compromise (IOC) is any observable artifact that provides evidence of a cybersecurity intrusion. IOCs include file hashes, IP addresses, domain names, URLs, email addresses, registry keys, and behavioral patterns that indicate malicious activity has occurred or is occurring within an environment.

Why IOCs Matter in Incident Response

IOCs serve as the forensic breadcrumbs that allow incident responders to detect, scope, and track adversary activity. During the detection and analysis phase of incident response, IOCs help analysts confirm that an alert represents a genuine threat rather than a false positive. During containment, IOCs guide blocking actions -- adding malicious IPs to firewall deny lists, quarantining files by hash, or blackholing command-and-control domains.

Beyond the immediate incident, IOCs feed into threat intelligence platforms where they help detect the same adversary across other organizations and inform proactive hunting for dormant compromises.

Types of IOCs

• Network-based: Malicious IP addresses, domain names, URLs, and DNS query patterns
• Host-based: File hashes (MD5, SHA-1, SHA-256), suspicious registry modifications, unusual scheduled tasks, and anomalous process execution
• Email-based: Sender addresses, subject line patterns, and attachment hashes associated with phishing campaigns
• Behavioral: Unusual login patterns, privilege escalation sequences, or data transfer volumes that deviate from baseline

IOCs vs TTPs

IOCs are specific, atomic artifacts that are easy to share but also easy for adversaries to change. A threat actor can rotate IP addresses and recompile malware to generate new hashes in minutes. TTPs (Tactics, Techniques, and Procedures) describe the adversary's behavior at a higher level of abstraction and are much harder to change. Mature detection programs combine IOC-based detection for speed with TTP-based detection for resilience. The MITRE ATT&CK framework provides a structured taxonomy for mapping TTPs.

Managing IOCs During an Incident

As an incident unfolds, the number of IOCs can grow rapidly. Effective IOC management requires a structured process: collect artifacts from forensic analysis, deduplicate and validate them, share with detection tools for blocking and alerting, and distribute to partners through threat intelligence sharing protocols like TLP. Documenting every IOC in the incident record creates a defensible timeline that shows when each artifact was identified and what action was taken.