Security breaches and incidents are a fact of life for organisations, no matter their size or line of business. They face an uphill struggle against ever-more sophisticated attackers who go to great lengths to ensure their attacks are successful. Traditional, reactive defences are not up to the task of defeating them; more advanced security techniques must be used to allow a more proactive stance to be achieved. However, too much focus is still being put on prevention. Whilst prevention is important, some attacks will always get through.
Therefore, organisations need to develop techniques for more effectively understanding the threats that they face and for providing automated countermeasures for remediating those threats. This requires greater intelligence concerning the tools, techniques and procedures being used by today’s sophisticated attackers, which requires knowledge of the way that those attackers operate. No matter how much they try to cover their tracks to avoid detection, forensic artefacts always remain that indicate an attack has occurred, along with details related to the tools, techniques and procedures used. These forensic artefacts have been termed indicators of compromise (IOC). Armed with the knowledge that IOCs provide, algorithms can be developed that look for one or more IOC to help to identify evidence of security incidents and hidden threats. This information can then be fed back into the system to determine what countermeasure is appropriate for taking action to mitigate specific types of threat, based on policies that have been set by the organisation.
IOCs can greatly help with triaging threats and can speed up time to discover and remediate even the most advanced, sophisticated threats. As more IOCs are developed and shared, the body of knowledge will grow and capabilities to automatically investigate and effectively remove threats will expand dramatically.
This document introduces the concept of IOCs and explains how organisations can use them for their benefit. It is intended for organisations of all sizes that wish to take a more proactive stance to remediating the threats that they face.