In cybersecurity, Indicators of Compromise (IOCs) are like breadcrumbs left behind by a digital intruder. They’re various forms of evidence that suggest a potential security incident might be brewing on your network. Here’s a breakdown of the different types of IOCs security professionals look for:

1. Network-Based IOCs:

These red flags live on your network and can point to suspicious activity. They include:

• Malicious IP addresses or domains: These are known bad actors in the cyber world. If you see traffic flowing to or from these addresses, it could be a sign of malware phoning home or attackers probing your defenses.
• Unusual network traffic patterns: A sudden surge in traffic, unexpected connections to external servers, or data exfiltration attempts can all be cause for concern.
• Suspicious port activity: Different network ports handle different types of communication. If you see activity on ports typically unused by your organization, it could be a sign of unauthorized access or malware establishing communication channels.

2. Host-Based IOCs:

These IOCs focus on suspicious activity happening on individual devices within your network. They include:

• Unusual file activity: This could be the creation of new files with suspicious names, unexpected changes to existing files, or unauthorized file deletions.
• Changes to system configuration settings: If critical system settings are being modified, it could be a sign of tampering or malware trying to disable security features.
• Suspicious processes running: Certain processes might indicate malware or unauthorized programs running on your system.

3. File-Based IOCs:

These IOCs are all about suspicious files themselves. They include:

• File Hashes: A unique mathematical fingerprint of a file. If a known malicious file’s hash matches a file on your system, it’s a big red flag.
• File Names: Sometimes filenames can be a giveaway. Look out for files with generic names often used by malware or files masquerading as legitimate programs with slightly altered spellings.

4. Behavioral IOCs:

These IOCs focus on how a system or user is behaving. They include:

• Unusual login attempts: Multiple failed login attempts from unknown locations or attempts to access unauthorized accounts could indicate brute-force attacks or compromised credentials.
• Odd user behavior: A user downloading unusual files, accessing unauthorized resources, or exhibiting a sudden change in activity patterns could be a sign of a compromised account.

5. Metadata IOCs:

This type of IOC focuses on the hidden details within a file. They include:

• Creation Date: A file creation date far outside the expected timeframe for a specific file type could be suspicious.
• Author: If a file is authored by an unknown or unauthorized entity, it warrants investigation.

By monitoring for these different types of IOCs, security professionals can identify potential threats and take action to mitigate them. Remember, IOCs are most effective when used in combination with other security measures and threat intelligence feeds.

Information generated by Google’s Gemini to answer questions I had while studying for my IBM cybersecurity certificate, please let me know if there’s anything you’d change or like to add!