Indicators of compromise (IoCs)
Definition
Artefacts observed on a network or system that suggest an intrusion or malicious activity has occurred, such as unusual outbound connections, known-malicious file hashes, registry keys created by malware, or account logins from unexpected locations. IoCs drive the Detection and Analysis phase.
Related terms
- Containment strategy
- A deliberate decision about how to limit an incident's spread, balancing the need to stop harm immediately against the risk of alerting...
- Decision gate
- A checkpoint within a playbook at which the responder must evaluate a condition, such as whether data exfiltration has been confirmed, and...
- Eradication
- The phase in which the root cause of an incident is removed from the environment: deleting malware, patching exploited vulnerabilities, revoking compromised...
- Incident response lifecycle
- The structured sequence of phases NIST SP 800-61 defines for handling computer security incidents: Preparation, Detection and Analysis, Containment/Eradication/Recovery, and Post-Incident Activity....
- Incident response plan
- A formal document that defines an organisation's approach to incident handling: roles and responsibilities, escalation paths, communication procedures, legal and regulatory obligations,...
- Lessons-learned meeting
- A structured post-incident review, recommended by NIST within approximately two weeks of incident resolution, that examines what happened, what the response did...
- Playbook
- A documented step-by-step procedure for responding to a specific type of security event. Playbooks standardise analyst behaviour, reduce response time, and ensure...
- Runbook
- A technical execution document, sometimes used interchangeably with playbook but more precisely refers to the low-level commands and scripts used during a...
- SOAR
- Security Orchestration, Automation and Response. A platform that can execute playbook steps automatically, such as blocking an IP address or disabling a...
- Tabletop exercise
- A structured, discussion-based simulation in which team members walk through a hypothetical incident using the playbook as a guide, without touching live...
Explained in these topics
- Developing and Using Incident Response PlaybooksObservable artefacts, such as malicious IP addresses, file hashes, domain names, or registry keys, that indicate a system may have been breached. Playbooks spe...
- The NIST SP 800-61 Incident Response LifecycleArtefacts observed on a network or system that suggest an intrusion or malicious activity has occurred, such as unusual outbound connections, known-malicious f...