Executive overview
Indicators are everywhere. The “check engine” light tells you when one of your car’s systems has failed. Your cell phone alerts you when the battery is low. Your home security system sounds an alarm if it detects an intruder, and your home computer displays a warning message when a device or piece of software malfunctions. From a design perspective it seems simple: you understand what to look for and you design a monitoring control around it. But what if your task is to reliably detect intrusions within a network or operating system? What if you’re building a system to identify with high confidence artifacts that indicate an intrusion? That’s not simple at all.
The term “indicator of compromise” (IOC) was first used by government organizations and defense contractors attempting to identify advanced persistent threats (APTs). Since 2007 the term has been commonly used throughout the information security industry. IOCs are digital evidence that suggest an attack may have occurred and are an important tool in forensic analysis following a breach.
