Cyber Security: What Is an IOC?

August 26, 2022
Indicators of compromise (IOC) on a laptop

Every day, businesses and individuals are at risk for cyber security breaches and attacks. Cyber criminals are only increasing their attacks and making them harder and harder to detect in time to stop. But no matter how hard these attackers work, there is no way the attack can be completely invisible or undetectable. Everything they do in a network will leave a trace of some kind behind. These traces are called indicators of compromise (IoC). 


What Is an IoC? 

Indicators of compromise (IoC's) are signs an attacker leaves and the clues that can help show what an attacker was trying to accomplish. Any time an attacker attempts to breach a network, they'll leave digital footprints that can point to what malware or tech has been used, why the attack was initiated, and potentially what information the attacker was targeting. Businesses can examine for any potential IoC cyber security breaches at any point to see how security measures are performing, or they might only pull the information after a notification of suspicious activity. However a company uses IoC, they can provide insights into how security is performing and if extra protective steps need to be taken. 


Indicators of Attack vs. Indicators of Compromise

Oftentimes, people use indicators of attack and indicators of compromise interchangeably, but they do have their differences. Indicators of attack are traces left during a cyber attack. Businesses will use them to determine if there is a current attack happening and the extent to which the attack has compromised the system. Indicators of attack are also highly focused on the intent of the attacker. When a network or system is under attack, it's crucial to determine exactly what an attacker wants. On the other hand, indicators of compromise can show that a system has been breached in some way but that hasn't yet developed into a full attack. 


A good way to understand the difference between indicators of attack and indicators of compromise is to consider how IoC and IoA might look like for a physical break-in. If a burglar wanted to rob a bank, they would probably gather information, stake out and watch the site, frequent the nearby area, find the best access points, and more. Signs of the burglar "casing the joint" would be indicators of compromise. Then when the burglar actually enters the bank vault and begins removing valuables, the signs they leave would be indicators of an attack, and the most important focus for the bank would be to minimize the damage. Security for both of these types of indicators is important to fully protect a system. 


What Are Indicators of Compromise to Look Out For?

Overall, there are a few indicators of compromise to look out for. Businesses and individuals who see these indicators should begin taking action to prevent the potential attacker from getting any deeper into their systems. In general, these are indicators of compromise: 


  • Inhuman web traffic behavior. Attackers will often use technology to examine a site and gather information, so if a business is getting an increase in inhuman web traffic behavior, it could indicate a potential compromise. 
  • Suspicious login activity. Increased, varied, or high ranking login activity could be an indicator of a compromise in a system. 
  • Abrupt system patching. Normally system patching is a good thing, but if a company's security team isn't the one patching the system or making changes, it could be a bad sign. 
  • Any abnormalities in site usage. Abnormalities can come in a variety of ways, but if there are any types of abnormalities on a business's site, it's worth thoroughly checking. 


Watching for these indicators of compromise can help keep a business's site be better protected and prevent cyber attacks


Examples of Indicators of Compromise to Look Out For

While the indicators above are general signs to watch out for, there are some examples of how those might look in the wild. These are some examples of indicators of compromise: 


  • Outbound traffic during off-hours. If a business site is receiving a large amount of outbound traffic outside of business hours, it could be an indicator of compromise. Attackers could be located anywhere in the world and working at different times, so if there is a lot of unusual traffic or activity at off-hours, that could be an indicator to explore. 
  • High-ranking user irregularities with sensitive data. High-ranking users often have access to sensitive information, but if a business starts seeing unusual or irregular activity on these profiles, it could indicate a compromise. 
  • Activity from unusual geographic locations. Attackers could be located anywhere, so if there's an unusual spike in activity from somewhere where users normally aren't located, there could be a problem. This is especially true for small businesses since most of their activity is local. A spike in activity from a distant location could indicate a compromise. 
  • A high number of authentication failures. Attackers will often attempt to authenticate sign-ins as they figure out a way into a system, so companies may need to increase security if there's a high number of failures. 
  • High number of requests on secure files. A high number of requests for secure files could indicate that someone without access is trying to find a way to reach the secure data, and that could be an indicator of compromised security. 
  • Configuration changes. If a business notices changes in any system configurations being made without permission, it could indicate that an attacker is trying to use malware and changing the system to allow it. 
  • Changes in mobile device profiles. Mobile devices can be a weak point in a system, so changes being made for mobile device profiles could be an indicator that an attacker is trying to find access to a system. 


What to Do if Your System Is Compromised

If the indicators of compromise all point to a compromised system, what's next? Is there anything that can be done? There are a few ways to react: 


  • Increase security measures. Deploying improved and quick patches to block access and to try shutting out attackers. It would also be beneficial to tighten all endpoint security and keep a closer eye on any and all access to systems. 
  • Get a risk assessment. A real-time vulnerability scan can indicate the extent that the system has been compromised and what level of risk there is for an attack. 
  • Get cyber insurance. Cyber insurance can help protect a business or individual from the potentially damaging consequences of a cyber attack or breach. So if there's an indication that a system could be compromised, getting cyber insurance can help provide protection. 


How Acrisure Can Help

Ultimately, indicators of compromise can show a business that an attacker is potentially targeting their site for an attack. These indicators can also show where the weak points in a security system are. But at the end of the day, there is no way entirely to escape the risk of an attack. Cyber risk is something every business and individual has to deal with and can't escape. But the risk of a potential compromise doesn't have to be detrimental. 


Acrisure Cyber Services can help businesses and individuals prepare against this risk. With a free risk assessment, businesses can determine where vulnerabilities are, what indicators of compromise are present, and where they may need to protect further to keep data secure. Acrisure can also help businesses find the right cyber insurance to keep themselves protected in the case of a system compromise or cyber attack. Contact us to get started with a risk assessment and protecting your network from IoC cybersecurity problems.



The insurance products described are placed by Acrisure, LLC and/or its insurance producer affiliates. The non-insurance cybersecurity and related cyber services described are provided by Acrisure Cyber Services, LLC, an affiliate of Acrisure, LLC.


Share a Story

Have you noticed a trend in financial services? Curious how
we craft our content? Looking for Acrisure to comment in
the media?