An Indicator of Compromise (IOC) is a piece of forensic evidence that suggests a security breach has occurred in a system or network. It can be anything that is out of the ordinary, indicating that an attack has taken place, or that malware or a hacker has accessed a system.
Examples of IOCs include:
- Suspicious network traffic: Any unusual network activity, such as a high volume of data being sent from a system or an IP address that is not recognized.
- Malware: Specific code patterns, file names, or signatures that are associated with known malware.
- Suspicious logins: Login attempts with unusual usernames or passwords or from locations that are not typical.
- Anomalous behavior: Unexpected activity, such as a system making requests to an unknown domain or an unusual pattern of file access.
IOCs are crucial in detecting security breaches because they help identify whether a system has been compromised and what kind of attack has occurred. Once an IOC is detected, security teams can use it to investigate the incident, identify the scope of the breach, and take steps to remediate it.