Indicator of compromise

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Indicator of compromise (IoC) in computer forensics is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion.[1]

Types of indication[edit]

Typical IoCs are virus signatures and IP addresses, MD5 hashes of malware files, or URLs or domain names of botnet command and control servers. After IoCs have been identified via a process of incident response and computer forensics, they can be used for early detection of future attack attempts using intrusion detection systems and antivirus software.

Automation[edit]

There are initiatives to standardize the format of IoCs for more efficient automated processing.[2][3] Known indicators are usually exchanged within the industry, where the Traffic Light Protocol is being used.[citation needed]

See also[edit]

References[edit]

  1. ^ Gragido, Will (October 3, 2012). "Understanding Indicators of Compromise (IoC) Part I". RSA. Archived from the original on September 14, 2017. Retrieved June 5, 2019.
  2. ^ "The Incident Object Description Exchange Format". RFC 5070. IETF. December 2007. Retrieved June 5, 2019.
  3. ^ "Introduction to STIX". Retrieved June 5, 2019.