Indicator of compromise (IoC in computer security) is qualified technical data that makes it possible to detect malicious activities on an information system. These indicators can be based on data of various types, for example: a file hash, a signature, an IP address, a URL, a domain name… but in all cases, the technical data alone (observable, see this word) is not enough to talk about IoC.
The use of IoCs to detect and respond to cyber threats
Thanks to a system of analysis and perpetual contextualization of these traces left by attackers, Cyber Threat Intelligence identify threats by developing: specialized data and means of exploiting them through YARA rules or SIGMA rules.
A very common error is to consider that a raw technical data (for example, an IP address) constitutes an indicator. In reality, this technical data alone is only an observable, and for lack of context and qualification, using it as an indicator leads to very many false positives.
For effective detection, an indicator must always contain, in addition to a technical observable, validity and qualification metadata.
How to collect and use indicators of compromise?
Let’s take the example of indicators based on IP addresses. To alert a client company to a possible connection of its computer network with the IP addresses of attackers :
- The team of researchers will analyze every week all the traces left by the authors on all the IP addresses in the world and will qualify some of them. like IoC.
- Integrated into the database, this information will be used to generate an alert and above all to contextualize it in the event that there is an attempt to connect between the company’s computer network with one of the attackers’ IP addresses. It’s rare to have an in-house research team that can track all threats effectively. This is why it is often best to connect to databases and subscribe to their updates, cyber threat intelligence feeds or CTI feeds. Some of these databases are published voluntarily and free of charge by communities of interest, others are commercial and are not free.
- For the researcher, the approach consists of completing the intelligence cycle : collect data, some open, others with own means, investigate, cross-check information, and qualify it.
- The last step is to standardize them to make them operational. At SEKOIA, we use SEKOIA.IO TIP to do this work; the indicators thus developed are then made available in the standard STIX 2.1 in our SEKOIA.IO CTI and SEKOIA.IO XDR solutions.
IoC vs IoA, what are the differences?
An IoC (Indicator of compromise) is the answer to the “What?” and “How” of an attack that has already taken place elsewhere.
Unlike an IoC, an IoA (Indicators of Attack) serves as an indicator of the presence of an attack in progress. For example, an IP address spotted in a previous attack may become an IoC; when this same IP is identified in an information system, it will constitute an IoA.
You can consult other definitions on:
- SOC (Security Operations Center)
- CTI (Cyber Threat Intelligence)
- XDR (eXtended Detection and Response)
- EDR (Endpoint Detection and Response)
- SIEM (Security Information and Event Management)