When Indicators of Compromise (IOCs) Entered the Mainstream Enterprise

This post, published in February 2015, now captures a historical perspective at the term Indicators of Compromise (IOCs), which since then has become common to most enterprise security programs.

The need to define custom, incident-specific signatures is slowly gaining traction in the mainstream enterprise. This concept, called Indicators of Compromise (IOCs), was initially discussed by government organizations and defense contractors who were coming to terms with Advanced Persistent Threat (APT) attacks.

Madiant began popularizing the term IOC around 2007. Kris Kendall’s paper Practical Malware Analysis mentioned IOCs in the context of malware reversing at Black Hat DC 2007. For a precursor to this, see Kevin Mandia’s Foreign Attacks on Corporate America slides from Black Hat Federal 2006. At the time, few organizations saw the need to go beyond antivirus-based detection by analyzing the adversary’s artifacts to define custom host-level signatures.

By 2015, the term IOC became well-known in the infosec industry. More companies have adding malware and related analysis skills to incident response teams. As Jake Williams put it, such firms know how to examine new malware and extract IOCs. "These are then fed back into the system and scans are repeated until no new malware is found." Automated analysis products (sandboxes) started being positioned as enablers of incident response triage.

That said, the knowledge and skills for deriving and using IOCs was far from being mainstream around 2015. Anton Chuvakin highlighted the distinction between security haves and have-nots along the lines of this capability. The haves kcould reverse-engineer malware to "extract the IOCs FAST (or get those IOCs shared with you by trusted friends) and then look for them on other systems."

As of 2015, IOC techniques haven't entered the mainstream just yet. But we're heading in that direction, as more people attained forensics skills and as more tools become available for defining and making use of such custom, incident-specific signatures.

To learn how to define and make use of IOCs, take a look at:

Updated January 5, 2021
Lenny Zeltser

Did you like this?

Follow me for more of the good stuff.

About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more