Indicators of Compromise & Indicators of Attack & Indicators of Behavior

Indicators of Compromise (IOC)

Indicators of Compromise (IOC) form the forensic evidence that suggests a system has been breached or compromised. They act as telltale artifacts, scattered across various sources such as log files, network traffic, and system memory.

Examples of IOCs include IP addresses, domain names, file hashes, and patterns of behavior.

These nuggets of evidence allow security researchers and professionals to detect known malicious activities like malware infections, phishing attempts, and ransomware attacks.

IOCs are instrumental in uncovering common attack methods, such as brute-force attacks and SQL injections.

Through collaboration and information sharing within the cybersecurity community, security teams can detect and mitigate threats more effectively.

Indicators of Attack (IOA)

Indicators of Attack (IOA) reveal the intentions and techniques employed by threat actors during a cyberattack.

Unlike IOCs that focus on specific artifacts, IOAs are concerned with patterns of behavior and the tactics, techniques, and procedures (TTPs) employed by attackers to gain unauthorized access to systems.

IOAs are proactive, and capable of identifying potential threats before they inflict significant damage.

By analyzing unusual network traffic, suspicious account activities, and unauthorized system changes, organizations can detect IOAs and take immediate action to prevent attacks.

IOAs also enable the identification of emerging threats and facilitate the adjustment of security strategies to counteract them effectively.

Indicators of Behavior (IOB)

Recently, the Open Cybersecurity Alliance announced that our Indicator of Behavior (IOB) Working Group has transitioned to an official sub-project within the Alliance. I wanted to share a little bit about this effort and explain why we want you to join us.

The main goal of the IOB effort is to create a standard way to represent cyber adversary behaviors to make it easier to:

• share repeatable sets of observed adversary behaviors spanning multiple campaigns,

• share the analytics to detect those behaviors, and

• create and share playbooks/workflows to correlate those detections.