In depth
An Indicator of Compromise (IOC) is an observable artefact in a system or network that suggests, with some probability, that a security incident has occurred. The canonical examples are file hashes (SHA-256 of a malware binary), IP addresses (a known command-and-control server), domain names (a known phishing landing page), URLs, email sender addresses, file paths, registry keys, mutex names, JA3/JA3S TLS fingerprints, YARA rule matches, and Snort/Suricata signature matches. IOCs are the atomic units of tactical threat intelligence and the primary fuel for SIEM correlation rules.
IOCs sit on a hierarchy of value sometimes called the Pyramid of Pain (David Bianco, 2013): hash values are at the bottom (easy for attackers to change), then IP addresses, then domain names, then network and host artefacts, then tools, with tactics, techniques and procedures (TTPs) at the top. Defenders who pivot from blocking hashes to blocking TTPs impose increasing cost on the attacker because TTPs are expensive to change. This is also why IOC-only detection has fundamental limits — a modern adversary rotates infrastructure faster than IOC feeds can be updated, and a defence anchored on hashes alone catches only commodity malware.
The standard exchange formats are STIX 2.1 (full structured intelligence including IOCs with context), MISP-format JSON (the most widely deployed open-source format), and OpenIOC (legacy Mandiant XML, still seen in some pipelines). Distribution typically happens over TAXII 2.1, MISP feeds, Slack/email for ad-hoc sharing among trusted communities, and vendor-specific feeds inside commercial CTI products. The major open-source IOC sources include abuse.ch (malware infrastructure), URLhaus (malicious URLs), AlienVault OTX, MalwareBazaar, ThreatFox, and the various national CERTs.
The most important operational discipline around IOCs is hygiene: an IOC database that retains stale, expired or false-positive indicators (a dynamic IP that has since been reassigned, a domain that was a sinkhole and is now a benign site) produces noise that drowns the signal. Mature programmes age out IOCs aggressively, attach confidence scores, and run periodic backtest queries to find rules that have produced only false positives. See Lazarus Group MITRE ATT&CK techniques.
IOCs sit on a hierarchy of value sometimes called the Pyramid of Pain (David Bianco, 2013): hash values are at the bottom (easy for attackers to change), then IP addresses, then domain names, then network and host artefacts, then tools, with tactics, techniques and procedures (TTPs) at the top. Defenders who pivot from blocking hashes to blocking TTPs impose increasing cost on the attacker because TTPs are expensive to change. This is also why IOC-only detection has fundamental limits — a modern adversary rotates infrastructure faster than IOC feeds can be updated, and a defence anchored on hashes alone catches only commodity malware.
The standard exchange formats are STIX 2.1 (full structured intelligence including IOCs with context), MISP-format JSON (the most widely deployed open-source format), and OpenIOC (legacy Mandiant XML, still seen in some pipelines). Distribution typically happens over TAXII 2.1, MISP feeds, Slack/email for ad-hoc sharing among trusted communities, and vendor-specific feeds inside commercial CTI products. The major open-source IOC sources include abuse.ch (malware infrastructure), URLhaus (malicious URLs), AlienVault OTX, MalwareBazaar, ThreatFox, and the various national CERTs.
The most important operational discipline around IOCs is hygiene: an IOC database that retains stale, expired or false-positive indicators (a dynamic IP that has since been reassigned, a domain that was a sinkhole and is now a benign site) produces noise that drowns the signal. Mature programmes age out IOCs aggressively, attach confidence scores, and run periodic backtest queries to find rules that have produced only false positives. See Lazarus Group MITRE ATT&CK techniques.