Indicator of compromise

From HandWiki
Short description: Artifact observed on a network or in an operating system that indicates a computer intrusion

Indicator of compromise (IoC) in computer forensics is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion.[1]

Types of indication

Typical IoCs are virus signatures and IP addresses, MD5 hashes of malware files, or URLs or domain names of botnet command and control servers. After IoCs have been identified via a process of incident response and computer forensics, they can be used for early detection of future attack attempts using intrusion detection systems and antivirus software.

Automation

There are initiatives to standardize the format of IoC descriptors for more efficient automated processing.[2][3] Known indicators are usually exchanged within the industry, where the Traffic Light Protocol is being used.[4][5][6][7][8][9][10]

See also

References

  1. Gragido, Will (October 3, 2012). "Understanding Indicators of Compromise (IoC) Part I". RSA. http://blogs.rsa.com/understanding-indicators-of-compromise-ioc-part-i/. 
  2. "The Incident Object Description Exchange Format". RFC 5070. IETF. December 2007. https://www.ietf.org/rfc/rfc5070.txt. Retrieved 2019-06-05. 
  3. "Introduction to STIX". https://oasis-open.github.io/cti-documentation/stix/intro. Retrieved 2019-06-05. 
  4. "FIRST announces Traffic Light Protocol (TLP) version 1.0". Forum of Incident Response and Security Teams. https://www.first.org/newsroom/releases/20160831. Retrieved 2019-12-31. 
  5. Luiijf, Eric; Kernkamp, Allard (March 2015). "Sharing Cyber Security Information". Toegepast Natuurwetenschappelijk Onderzoek. https://publications.tno.nl/publication/34616508/oLyfG9/luiijf-2015-sharing.pdf. Retrieved 2019-12-31. 
  6. Stikvoort, Don (11 November 2009). "ISTLP - Information Sharing Traffic Light Protocol". National Infrastructure Security Co-ordination Centre. https://www.trusted-introducer.org/ISTLPv11.pdf. Retrieved 2019-12-31. 
  7. "Development of Policies for Protection of Critical Information Infrastructures". Organisation for Economic Co-operation and Development (OECD). https://www.oecd.org/sti/40761118.pdf. Retrieved 2019-12-31. 
  8. "ISO/IEC 27010:2015 [ISO/IEC 27010:2015 | Information technology — Security techniques — Information security management for inter-sector and inter-organizational communications"]. International Organization for Standardization/International Electrotechnical Commission. November 2015. https://www.iso.org/standard/68427.html. Retrieved 2019-12-31. 
  9. "Traffic Light Protocol (TLP) Definitions and Usage". United States Department of Homeland Security. https://www.us-cert.gov/tlp. Retrieved 2019-12-31. 
  10. "Traffic Light Protocol". Centre for Critical Infrastructure Protection. Archived from the original on 2013-02-05. https://web.archive.org/web/20130205072939/http://ccip.govt.nz/incidents/tlp.html. Retrieved 2019-12-31.