Home » IoC

IoC

Indicator of compromise (IoC in computer security) is qualified technical data that makes it possible to detect malicious activities on an information system. These indicators can be based on data of various types, for example: a file hash, a signature, an IP address, a URL, a domain name… but in all cases, the technical data alone (observable, see this word) is not enough to talk about IoC.

The power of CTI during malware incident analysis replay with Glimps

The use of IoCs to detect and respond to cyber threats

Thanks to a system of analysis and perpetual contextualization of these traces left by attackers, Cyber ​​Threat Intelligence identify threats by developing: specialized data and means of exploiting them through YARA rules or SIGMA rules.

A very common error is to consider that a raw technical data (for example, an IP address) constitutes an indicator. In reality, this technical data alone is only an observable, and for lack of context and qualification, using it as an indicator leads to very many false positives.

For effective detection, an indicator must always contain, in addition to a technical observable, validity and qualification metadata.

What is an Indicator of compromise

How to collect and use indicators of compromise?

Let’s take the example of indicators based on IP addresses. To alert a client company to a possible connection of its computer network with the IP addresses of attackers :

  1. The team of researchers will analyze every week all the traces left by the authors on all the IP addresses in the world and will qualify some of them. like IoC. 
  2. Integrated into the database, this information will be used to generate an alert and above all to contextualize it in the event that there is an attempt to connect between the company’s computer network with one of the attackers’ IP addresses. It’s rare to have an in-house research team that can track all threats effectively. This is why it is often best to connect to databases and subscribe to their updates, cyber threat intelligence feeds or CTI feeds. Some of these databases are published voluntarily and free of charge by communities of interest, others are commercial and are not free.
  3. For the researcher, the approach consists of completing the intelligence cycle : collect data, some open, others with own means, investigate, cross-check information, and qualify it.
  4. The last step is to standardize them to make them operational. At SEKOIA, we use SEKOIA.IO TIP to do this work; the indicators thus developed are then made available in the standard STIX 2.1 in our SEKOIA.IO CTI and SEKOIA.IO XDR solutions.
Watch the replay of the Webinar on Sigma Correlation

IoC vs IoA, what are the differences?

An IoC (Indicator of compromise) is the answer to the “What?” and “How” of an attack that has already taken place elsewhere.

Unlike an IoC, an IoA (Indicators of Attack) serves as an indicator of the presence of an attack in progress. For example, an IP address spotted in a previous attack may become an IoC; when this same IP is identified in an information system, it will constitute an IoA.

You can consult other definitions on: SOC (Security Operations Center), CTI (Cyber Threat Intelligence), XDR (eXtended Detection and Response), EDR (Endpoint Detection and Response), SIEM (Security Information and Event Management).

If you are visiting our website for the first time, know that we are a cybersecurity software publisher. We provide SOC and MSSP teams with a turnkey operational security platform (SOC platform). Through our XDR platformCTI tool and threat intelligence platform, we enable our users to neutralize cyber threats, regardless of the attack surface.

 

Others Terms

CTI(Cyber Threat Intelligence)

Cyber ​​Threat Intelligence (CTI) defines cyber threat research, analysis and modeling. It'is used to prevent and detect computer attacks.

SOC(Security Operations Center)

Security Operations Center (SOC) is an organizational structure dedicated to the implementation of all the security operations of an organization against cyberattacks. These actions include the supervision and protection of an organization’s information system (workstations, networks, website, applications, databases, etc.)

Échangez avec l’équipe

Vous souhaitez en savoir plus sur nos solutions de protection ?
Vous voulez découvrir nos produits de XDR et de CTI ?
Vous avez un projet de cybersécurité dans votre organisation ?
Prenez rendez-vous et rencontrons-nous !

Chat with our team !

Would you like to know more about our solutions ?
Do you want to discover our XDR and CTI products ?
Do you have a cyber security project in your organization ?
Make an appointment and meet us !