Atomic, Computed, & Behavioral Indicators of Compromise (IoCs)

An indicator of compromise (IoC or IOC) is evidence of a past security incident; evidence that a system or network may have suffered unauthorized access by malware or a human. IoCs are used by DFIR, IR, CTI, threat hunters, and other defenders to study attacks.

The Lockheed Martin paper Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains divided IoCs into 3 types: atomic, computed, and behavioral.

Photo by George Prentzas on Unsplash

Atomic IoCs

Atomic IoCs are named as such because they can’t be broken into smaller parts while retaining their meaning (similar to the context of atoms in chemistry).

Examples: IP addresses, email addresses, vulnerability identifiers, hostnames, process names, file names, text strings, domain names.

Computed IoCs

Computed IoCs are based on data from incidents.

Examples: hash values, regular expressions.

Behavioral IoCs

Behavioral IoCs are descriptions of how atomic and computed IoCs were used in a compromise. They’re the tactics, techniques, and procedures (TTPs) (modus operandi) of the threat actor involved in a compromise. They’re more commonly referred to as TTPs than IoCs.

Examples:

  • The threat actor sent a Word file with a malicious macro.
  • The threat actor used a backdoor which generated network traffic matching [regular expression] at the rate of [frequency] to [IP address].
  • The threat actor sent multiple social engineering emails to sales employees to gain a foothold in the network, then made unauthorized remote desktop connections to other computers on the network.
  • The threat actor used IP addresses in [country A] to relay email through [country B] to target our HR staff with Trojaned Word docs about COVID policies, which drop backdoors that communicate with [IP address].

Pyramid of Pain

The types of IoCs differ in their value to defenders, which I explain in more detail in my post about the Pyramid of Pain.

Additional Resources

Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains [PDF]

Cybersecurity Incident & Vulnerability Response Playbooks [PDF]

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chad Warner

Seeking a cyber threat intelligence (CTI) or OSINT job. I'm a CTI, OSINT, & cybersecurity enthusiast; bookworm; and fan of Tolkien & LEGO.