Indicator of compromise

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Indicator of compromise (IoC) in computer forensics is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion.[1]

Types of indication[edit]

Typical IoCs are virus signatures and IP addresses, MD5 hashes of malware files, or URLs or domain names of botnet command and control servers. After IoCs have been identified via a process of incident response and computer forensics, they can be used for early detection of future attack attempts using intrusion detection systems and antivirus software.

Automation[edit]

There are initiatives to standardize the format of IoC descriptors for more efficient automated processing.[2][3] Known indicators are usually exchanged within the industry, where the Traffic Light Protocol is being used.[4][5][6][7][8][9][10]

See also[edit]

References[edit]

  1. ^ Gragido, Will (October 3, 2012). "Understanding Indicators of Compromise (IoC) Part I". RSA. Archived from the original on September 14, 2017. Retrieved June 5, 2019.
  2. ^ "The Incident Object Description Exchange Format". RFC 5070. IETF. December 2007. Retrieved 2019-06-05.
  3. ^ "Introduction to STIX". Retrieved 2019-06-05.
  4. ^ "FIRST announces Traffic Light Protocol (TLP) version 1.0". Forum of Incident Response and Security Teams. Retrieved 2019-12-31.
  5. ^ Luiijf, Eric; Kernkamp, Allard (March 2015). "Sharing Cyber Security Information" (PDF). Global Conference on CyberSpace 2015. Toegepast Natuurwetenschappelijk Onderzoek. Retrieved 2019-12-31.
  6. ^ Stikvoort, Don (11 November 2009). "ISTLP - Information Sharing Traffic Light Protocol" (PDF). Trusted Introducer. National Infrastructure Security Co-ordination Centre. Retrieved 2019-12-31.
  7. ^ "Development of Policies for Protection of Critical Information Infrastructures" (PDF). Organisation for Economic Co-operation and Development (OECD). Retrieved 2019-12-31.
  8. ^ "ISO/IEC 27010:2015 [ISO/IEC 27010:2015] | Information technology — Security techniques — Information security management for inter-sector and inter-organizational communications". International Organization for Standardization/International Electrotechnical Commission. November 2015. Retrieved 2019-12-31.
  9. ^ "Traffic Light Protocol (TLP) Definitions and Usage". United States Department of Homeland Security. Retrieved 2019-12-31.
  10. ^ "Traffic Light Protocol". Centre for Critical Infrastructure Protection. Archived from the original on 2013-02-05. Retrieved 2019-12-31.