Cybersecurity
Indicator of Compromise (IoC)
Definition
An Indicator of Compromise (IoC) is a piece of forensic data, such as a file hash, IP address, or domain name, that indicates that a security breach has occurred on a system or network. It is evidence of a potential intrusion.
Why It Matters
IoCs are used by security teams and threat intelligence platforms to detect attacks. By searching logs and network traffic for known IoCs, organizations can identify compromised systems.
Contextual Example
A threat intelligence report shares the file hashes and command-and-control server IP addresses associated with a new malware strain. A security team can then scan their systems for files with those hashes or for any network traffic going to those IPs. Any match is an IoC.
Common Misunderstandings
- IoCs are reactive; they provide evidence that an attack has already happened or is in progress.
- They are a key part of threat hunting and incident response.