Indicators of Compromise (IOC) as they are commonly known are the symptoms that confirm the presence of the malware malady. Essentially, from a network forensics' perspective, these are artifacts (or a remnant from an intrusion) that, when discovered on a system or network, indicate a compromise with a high degree of confidence. There are malware-specific IOC and specialized tools such as YARA (http://plusvic.github.io/yara/) that help in identifying the existence of malware based on searches for these IOC.
Typically, IOC include known rogue IP addresses, virus signatures, MD5 hashes of malware, known bad URLs or domain names, and so on.
To promote standardization, a number of open frameworks are available. However, no framework can claim to be the de facto standard. The two most important frameworks are as follows:
Indicators of compromise can include the following components:
IOC, once identified, can be used to provide very effective inputs for IDS and IPS and can also be used to configure firewall rules. Therefore, any incident response activity that is planned should definitely proceed beyond the remediation stage so that the IOCs can be identified and fed back into the prevention and detection infrastructure in order to avoid the organization suffering a repeat attack.
18.225.57.126