When Indicators of Compromise (IOCs) Entered the Mainstream Enterprise

This post, published in February 2015, now captures a historical perspective at the term Indicators of Compromise (IOCs), which since then has become common to most enterprise security programs.

The need to define custom, incident-specific signatures is slowly gaining traction in the mainstream enterprise. This concept, called Indicators of Compromise (IOCs), was initially discussed by government organizations and defense contractors who were coming to terms with Advanced Persistent Threat (APT) attacks.

Madiant began popularizing the term IOC around 2007. Kris Kendall’s paper Practical Malware Analysis mentioned IOCs in the context of malware reversing at Black Hat DC 2007. For a precursor to this, see Kevin Mandia’s Foreign Attacks on Corporate America slides from Black Hat Federal 2006. At the time, few organizations saw the need to go beyond antivirus-based detection by analyzing the adversary’s artifacts to define custom host-level signatures.

By 2015, the term IOC became well-known in the infosec industry. More companies have adding malware and related analysis skills to incident response teams. As Jake Williams put it, such firms know how to examine new malware and extract IOCs. “These are then fed back into the system and scans are repeated until no new malware is found.” Automated analysis products (sandboxes) started being positioned as enablers of incident response triage.

That said, the knowledge and skills for deriving and using IOCs was far from being mainstream around 2015. Anton Chuvakin highlighted the distinction between security haves and have-nots along the lines of this capability. The haves kcould reverse-engineer malware to “extract the IOCs FAST (or get those IOCs shared with you by trusted friends) and then look for them on other systems.”

As of 2015, IOC techniques haven’t entered the mainstream just yet. But we’re heading in that direction, as more people attained forensics skills and as more tools become available for defining and making use of such custom, incident-specific signatures.

To learn how to define and make use of IOCs, take a look at:

Updated

About the Author

Lenny Zeltser develops teams, products, and programs that use information security to achieve business results. He is presently the CISO at Axonius and an author and instructor at SANS Institute. Over the past two decades, Lenny has been leading efforts to establish resilient security practices and solve hard security problems. As a respected author and speaker, he has been advancing cybersecurity tradecraft and contributing to the community. His insights build upon 20 years of real-world experiences, a Computer Science degree from the University of Pennsylvania, and an MBA degree from MIT Sloan.

Learn more