Atomic, Computed, & Behavioral Indicators of Compromise (IoCs)

2 min readOct 11, 2022

An indicator of compromise (IoC or IOC) is evidence of a past security incident; evidence that a system or network may have suffered unauthorized access by malware or a human. IoCs are used by DFIR, IR, CTI, threat hunters, and other defenders to study attacks.

The Lockheed Martin paper Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains divided IoCs into 3 types: atomic, computed, and behavioral.

Atomic IoCs

Atomic IoCs are named as such because they can’t be broken into smaller parts while retaining their meaning (based on the concept of atoms in science).

Examples: IP addresses, email addresses, vulnerability identifiers, hostnames, process names, file names, text strings, domain names.

Computed IoCs

Computed IoCs are based on data from incidents.

Examples: hash values, regular expressions.

Behavioral IoCs

Behavioral IoCs are descriptions of how atomic and computed IoCs were used in a compromise. They’re the tactics, techniques, and procedures (TTPs) (modus operandi) of the threat actor involved in a compromise. They’re more commonly referred to as TTPs than IoCs.

Examples:

The threat actor sent a Word file with a malicious macro.
The threat actor used a backdoor which generated network traffic matching [regular expression] at the rate of [frequency] to [IP address].
The threat actor sent multiple social engineering emails to sales employees to gain a foothold in the network, then made unauthorized remote desktop connections to other computers on the network.
The threat actor used IP addresses in [country A] to relay email through [country B] to target our HR staff with Trojaned Word docs about COVID policies, which drop backdoors that communicate with [IP address].

Pyramid of Pain

The types of IoCs differ in their value to defenders, which I explain in more detail in my post about the Pyramid of Pain.

Additional Resources

Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains [PDF]

Key Requirements for the Detection and Sharing of Behavioral Indicators of Compromise

Cyber threat intelligence feeds the focus on atomic and computed indicators of compromise. These indicators are the…

www.mdpi.com

Security Intelligence: Attacking the Cyber Kill Chain

Coming in much later than I'd hoped, this is the second installment in a series of four discussing security…

www.sans.org

IOC are dead, long live IOC!

An indicator of compromise (IOC) can be defined as a piece of information that can be used to identify a potential…

lab52.io

Cybersecurity Incident & Vulnerability Response Playbooks [PDF]