What is an IOC (Indicator of Compromise)?
An IOC, or Indicator of Compromise, is a technical trace or piece of evidence that points to a possible security incident, such as a Malware infection, data breach or cyberattack.
IOCs help security teams, such as a CSIRT or CERT, to:
- Detect attacks
- Stop their spread
- Determine root causes
- Clean up affected systems
🧱 Examples of IOCs
| IOC type | Example |
|---|---|
| IP address | Traffic flow to a suspicious IP (e.g. 198.51.100.42) |
| Domain name / URL | Connection to malicious-update[.]net |
| Hash value | SHA-256 of malicious files or scripts |
| File path | C:\Users\Public\svchost.exe (malware) |
| Registry entries | Suspicious modifications to Windows Registry |
| Email indicators | Phishing via suspicious sender or subject |
| User behaviour | Login outside business hours from an unknown location |
| SCADA/OT-specific | Unexpected change of Setpoint, communication with unknown PLC |
🔍 IOCs in OT environments
IOCs are not only relevant for IT, but also for industrial networks, such as:
- Traffic between SCADA and unknown external IP addresses
- Changes to Setpoint outside of an authorised session
- A previously inactive PLC suddenly becoming active
- Firmware updates without planning or documentation
- Newly created users on HMI systems
🔧 In combination with SIEM, IDS or asset monitoring tools, IOCs can be detected and investigated automatically.
🧠 IOC vs IOA
| IOC (Indicator of Compromise) | IOA (Indicator of Attack) |
|---|---|
| After the fact – traces of an attack | Behaviour – what the attacker is trying to do |
| For example a malware file | For example an attempted privilege escalation |
| Focused on detection | Focused on prevention or early warning |
📌 In summary
An IOC is a technical attribute pointing to a possible cyberattack or breach. It is the basis for detection, analysis and response in both IT and OT environments, and is actively used within Defense in Depth and incident detection systems such as SIEM.