Topic 46

Indicators of Compromise

IOCs

An indicator of compromise is a piece of forensic evidence that a system was breached — a malicious file hash, a command-and-control domain, a suspicious registry key, an anomalous login. IOCs are the currency of detection and threat sharing, but they vary enormously in durability: an attacker changes a hash or IP in seconds, but changing their techniques is expensive.

This topic teaches how to use IOCs, the Pyramid of Pain that ranks their value, and why behavior-based detection outlasts indicator lists — the reason Chapter 10 invests in behavioral rules over indicator feeds.

Types of Indicators

Indicators come in tiers: atomic (hashes, IPs, domains), host-based (files, registry keys, mutexes, persistence entries), and behavioral (process lineage, technique patterns). Each feeds detection differently and ages differently — an atomic IP is precise but disposable, while a behavioral pattern is fuzzier but far harder for the attacker to change.

The Pyramid of Pain

The Pyramid of Pain ranks indicators by how much pain blocking them causes the attacker. Hashes are trivial to change (low pain), IPs and domains a little harder, tools harder still, and TTPs — the techniques themselves — hardest of all. Detection built on behavior and TTPs costs the attacker the most to evade and lasts the longest, which is the whole argument for climbing the pyramid.

IOCs vs IOAs

Indicators of compromise are after-the-fact artifacts; indicators of attack describe the behavior in progress — the technique regardless of the specific file. Shifting toward IOAs and behavior is what makes detection resilient, because it survives the attacker rotating their infrastructure. It is the ATT&CK-based thinking from Chapter 1 applied to detection: catch the move, not just the fingerprint.

Sharing and Consuming Threat Intel

IOCs are exchanged through feeds and standards — STIX and TAXII, MISP — so one organization's incident becomes another's detection. Consuming good intel pays off, but low-quality feeds add noise and expired indicators, so quality matters more than volume. The best use is to consume curated intel, contribute back what you find, and treat every indicator hit as the start of scoping, not the conclusion.

Atomic IOCs vs Behavioral Detection

Atomic IOCs (hash, IP, domain) — precise, easy to share and block, but attackers rotate them cheaply, so they age fast.

Behavioral / TTP detection — harder to write and tune, but costs the attacker real effort to evade and catches variants an indicator list misses. Use IOCs for fast, cheap coverage; invest in behavior for durability.

Common Mistakes
  • Building detection purely on atomic IOCs (hashes, IPs) that attackers rotate in seconds, so the coverage is stale on arrival.
  • Consuming low-quality threat feeds uncritically, flooding the SIEM with false positives and expired indicators.
  • Confusing IOCs (after the fact) with IOAs (in progress) and never investing in the behavioral detection that catches the next variant.
  • Treating an IOC hit as a complete investigation rather than a starting point that still needs scoping.
  • Chasing indicators at the bottom of the Pyramid of Pain instead of climbing toward TTPs.
Best Practices
  • Use atomic IOCs for cheap, fast blocking but climb the Pyramid of Pain toward behavior and TTP detection for durability.
  • Prefer indicators of attack (behavioral) that survive infrastructure rotation, mapped to ATT&CK techniques.
  • Consume curated threat intel (MISP, STIX/TAXII) with quality controls, and contribute back what you find.
  • Treat every indicator hit as the start of scoping, not the conclusion (Chapter 11).
  • Weight detection investment toward the durable, high-pain indicators rather than disposable hashes.
Comparable toolsStandards STIX/TAXII · MISPDetection YARA · Sigma · Pyramid of PainFramework MITRE ATT&CK — feeds Ch 10

Knowledge Check

According to the Pyramid of Pain, which indicators cost an attacker the most to evade?

  • The techniques (TTPs), since changing how they work is hard
  • File hashes, because each one is completely unique to its sample
  • IP addresses, because fresh ones are genuinely hard to obtain
  • Domain names, because each one first has to be registered

What is the difference between an IOC and an IOA?

  • An IOC is an after-the-fact artifact; an IOA is behavior
  • An IOC is purely behavioral, while an IOA is just a file hash
  • They are simply two different names for the very same thing
  • An IOA can only ever be produced after the attack has ended

Why is behavior-based detection more durable than an atomic-IOC list?

  • Hashes and domains rotate cheaply, but techniques are costly
  • Atomic IOCs simply cannot be shared between separate organizations
  • Behavioral detection reliably never produces any false positives
  • Atomic IOCs always require a sandbox in order to be used

You got correct