Indicator of compromise

From HandWiki
Short description: Artifact observed on a network or in an operating system that indicates a computer intrusion


An indicator of compromise (IoC) in computer forensics is an artifact observed on a computer network or within an operating system that, with high confidence, indicates a computer intrusion.[1]

Types of indicators

Common IoCs include virus signatures, suspicious IP addresses, MD5 hashes of malware files, and malicious URLs or domain names associated with botnet command and control servers. Once IoCs are identified through incident response or forensic analysis, they can be used for early detection of future attacks with intrusion detection systems and antivirus software.

Automation and sharing

Several standards and initiatives aim to automate IoC processing and sharing:

  • The Incident Object Description Exchange Format (IODEF) standardizes how incident information is described and exchanged.[2]
  • Structured Threat Information Expression (STIX) is used to represent cyber threat information.[3]

Known indicators are often exchanged within the cybersecurity industry, commonly using the Traffic Light Protocol (TLP) to indicate how information may be shared.[4] Other frameworks and standards are also used to support secure information sharing.[5][6][7][8][9][10]

See also

References

  1. Gragido, Will (3 October 2012). "Understanding Indicators of Compromise (IoC) Part I". RSA. https://blogs.rsa.com/understanding-indicators-of-compromise-ioc-part-i/. 
  2. "The Incident Object Description Exchange Format". IETF. December 2007. https://www.ietf.org/rfc/rfc5070.txt. 
  3. "Introduction to STIX". OASIS. https://oasis-open.github.io/cti-documentation/stix/intro. 
  4. "FIRST announces Traffic Light Protocol (TLP) version 1.0". Forum of Incident Response and Security Teams. https://www.first.org/newsroom/releases/20160831. 
  5. Luiijf, Eric; Kernkamp, Allard (March 2015). "Sharing Cyber Security Information". Toegepast Natuurwetenschappelijk Onderzoek. https://publications.tno.nl/publication/34616508/oLyfG9/luiijf-2015-sharing.pdf. 
  6. Stikvoort, Don (11 November 2009). "ISTLP – Information Sharing Traffic Light Protocol". National Infrastructure Security Co-ordination Centre. https://www.trusted-introducer.org/ISTLPv11.pdf. 
  7. "Development of Policies for Protection of Critical Information Infrastructures". Organisation for Economic Co-operation and Development. https://www.oecd.org/sti/40761118.pdf. 
  8. "ISO/IEC 27010:2015". International Organization for Standardization / International Electrotechnical Commission. November 2015. https://www.iso.org/standard/68427.html. 
  9. "Traffic Light Protocol (TLP) Definitions and Usage". United States Department of Homeland Security. https://www.us-cert.gov/tlp. 
  10. "Traffic Light Protocol". Centre for Critical Infrastructure Protection. http://www.ccip.govt.nz/incidents/tlp.html. 



Retrieved from "https://handwiki.org/wiki/index.php?title=Indicator_of_compromise&oldid=3983779"