Prevent Healthcare Data Breaches: A 12-Step Guide
Data Breach Healthcare Security
Why Is Healthcare the Most Expensive Industry for Data Breaches? If you’re trying to figure out how to prevent data …
Learn what indicators of compromise are, the different types of IOCs, and how to respond when you find them.
• Traditional IOCs are reactive - they tell you what happened after attackers got in. By then, you’re doing forensics, not prevention.
• Monitor for compromised credentials on the dark web alongside your network IOCs - threats often surface externally before attackers breach your systems.
• The Pyramid of Pain framework helps you prioritize IOCs by how difficult they are for attackers to change. Behavioral patterns hurt attackers the most.
• IOCs show what happened; indicators of attack (IOAs) catch attacks in progress. You need both.
Your security team probably thinks about indicators of compromise as forensic evidence. Something you find after attackers have already gotten in. That’s only half the story.
The average organization takes 241 days to identify and contain a breach (IBM Cost of Data Breach 2025). That’s eight months of attackers roaming your network and stealing data. By the time you find the IOCs, the damage is done.
But here’s what most security teams miss: many IOCs appear outside your network first. Stolen credentials show up on dark web marketplaces. Infostealer logs surface in Telegram channels. Session tokens get leaked before attackers even use them.
We’ll cover the IOC types that matter and how to spot threats before attackers strike.
Contents
IOCs work. But they work after the fact. By the time you find a malicious file hash or C2 beacon, attackers have already been inside for weeks or months.
Dark web monitoring and threat intelligence can catch exposed credentials before attackers use them. That’s the shift from forensics to prevention.
What Are Indicators of Compromise?
Security teams encounter IOCs daily, but telling a genuine indicator apart from normal network noise isn’t always easy.
Indicators of compromise (IOCs) are digital forensic artifacts that suggest a network or system has been breached. NIST defines IOCs as “technical artifacts or observables that suggest an attack is imminent, underway, or has already occurred.” These include file hashes, registry changes, unusual network traffic, and connections to known malicious infrastructure.
Think of IOCs as digital fingerprints left behind by attackers. Just like physical crime scenes have fingerprints and DNA evidence, cyber attacks leave traces: unusual login patterns, communication with known malicious servers, files that match known malware signatures.
The challenge? Attackers know you’re looking for these traces. They rotate infrastructure constantly and modify malware to evade hash-based detection. Many use legitimate services to blend in with normal traffic.
This cat-and-mouse game is why IOCs work best alongside a threat intelligence strategy. Relying solely on static IOCs means you’re always one step behind.
The different types of IOCs work together. No single type catches everything, so you need coverage across all of them.
What Are the Main Types of IOCs?
Some IOCs appear instantly when attackers breach your systems. Others take days or weeks to show up. Here’s what to look for across each category.
Network-Based IOCs
Network indicators often provide the first evidence of compromise, especially for C2 communication.
Unusual outbound traffic should raise immediate red flags. Large data transfers at 3 AM usually aren’t scheduled backups. Connections to servers in countries where your business doesn’t operate deserve investigation.
Suspicious DNS requests reveal attacker activity. DNS tunneling, requests to newly registered domains, and communication with known malicious infrastructure all leave traces. Many organizations miss these because they don’t log DNS queries comprehensively.
Geographic anomalies matter too. Impossible travel scenarios, where the same account logs in from two distant locations within minutes, almost always indicate credential theft.
Host-Based IOCs
What happens on individual systems tells a different story than network traffic alone.
Registry modifications frequently indicate malware persistence. Attackers love registry run keys for surviving reboots. Unexpected changes to security settings, especially disabling security tools, demand immediate investigation.
Unauthorized software appears regularly in compromised environments. This includes legitimate remote access tools like AnyDesk that attackers deploy after initial access. Just because software is legitimate doesn’t mean its presence is authorized.
Unusual process behavior catches what file scanning misses. PowerShell connecting to external IPs, Office applications spawning cmd.exe, svchost.exe running from unexpected directories. Process monitoring detects memory-only attacks that never drop files to disk.
File-Based IOCs
File indicators still work, despite their limitations.
Malicious file hashes work well for known threats. MD5, SHA-1, and SHA-256 hashes let you check files against threat intelligence feeds. The catch: attackers modify files constantly, generating new hashes that evade detection.
Suspicious file locations matter as much as the files themselves. Executables in temp folders, DLLs in user directories, scripts where scripts shouldn’t exist. Location context separates legitimate software from threats.
Unexpected encrypted files often indicate ransomware. If files suddenly have new extensions and won’t open, you’re likely dealing with ransomware. Act fast to contain it.
Behavioral IOCs
Behavioral indicators catch what static IOCs miss, particularly new attacks and living-off-the-land techniques (where attackers use legitimate system tools instead of malware).
Failed login attempts spiking across multiple accounts suggests credential stuffing. A single account with many failures might be a forgotten password. Hundreds of accounts with a few failures each? That’s an attack.
Privilege escalation patterns reveal attacker progression. Normal users don’t suddenly need domain admin rights. When accounts move beyond their usual access patterns, something’s wrong.
Database access anomalies deserve special attention. Volume spikes, queries against sensitive tables, exports to unusual destinations are all potential signs of exfiltration.
IOC types are the categories. Now let’s look at specific examples you can build detection rules around.
What Are Common Examples of Indicators of Compromise?
Here’s an indicators of compromise list grouped by detection method. These are the most critical IOCs security teams encounter in cyber security operations:
Network indicators: Unusual outbound traffic patterns (large transfers during off-hours, connections to unexpected geographic locations), DNS anomalies (queries to newly registered domains, DNS tunneling patterns), communication with known malicious IPs, and impossible travel scenarios where the same account logs in from distant locations within minutes.
Host indicators: Registry modifications (especially persistence mechanisms like run keys), unauthorized software installations (including legitimate remote access tools deployed by attackers), disabled security tools, new scheduled tasks, and processes running from unexpected locations.
Authentication indicators: Failed login spikes across multiple accounts (credential stuffing), privileged accounts accessing unusual systems, service accounts behaving like users, and administrative activities outside maintenance windows.
Data indicators: Database query volume spikes, exports of sensitive data to portable formats, mass file access to archived data, and compressed files appearing in temp directories (staging for exfiltration).
Each type needs different detection tools. Flow analysis and geographic monitoring catch network IOCs. Endpoint detection handles host IOCs. SIEM correlation ties authentication anomalies together.
These examples cover what happened. But there’s a related concept that catches what’s happening right now.
What Is the Difference Between IOCs and IOAs?
Security teams often conflate these terms, but the distinction matters for how you structure detection and response.
Indicators of attack (IOAs) identify active attack behavior in real-time, focusing on what attackers are doing rather than what they’ve left behind. While IOCs are forensic evidence of past compromise, IOAs detect attacks in progress by analyzing behavior patterns and technique sequences regardless of specific tools or infrastructure used.
Here’s the practical difference: IOCs tell you what happened. IOAs tell you what’s happening right now.
An IOC might be a specific malware hash. An IOA would be “PowerShell executing encoded commands downloaded from the internet,” which catches the technique regardless of the specific malware variant.
IOCs are reactive. You need threat intelligence telling you a specific hash or IP is malicious. If attackers use new infrastructure, IOC-based detection fails until someone identifies and shares that new indicator.
IOAs catch attacks in progress. They detect attack patterns rather than specific artifacts. Lateral movement looks similar whether attackers use Mimikatz, Rubeus, or a custom tool. Behavioral detection catches all three.
IOCs are easier to implement. Block this IP. Alert on this hash. Match this domain pattern. The logic is straightforward.
IOAs require deeper detection capabilities. You need to understand normal behavior to identify abnormal behavior. False positive tuning takes real effort.
The best security programs use both. IOCs catch known threats quickly. IOAs catch new threats and attacks using legitimate tools. Neither approach works well alone.
86% of organizations now use the MITRE ATT&CK framework (SANS 2025 CTI Survey), which maps both IOCs and IOAs to specific adversary techniques. This gives you a common language for describing threats and helps you build better detection.
Once you understand what to look for, the next question is how to find it.
How Do You Detect Indicators of Compromise?
Detection requires both the right tools and the right processes.
Security Tools for IOC Detection
SIEM platforms aggregate logs and apply detection rules. They’re essential for correlating events that individually look benign but together indicate compromise.
EDR/XDR solutions provide endpoint visibility that network monitoring can’t match. Modern platforms detect behavioral IOCs, not just file signatures.
Threat intelligence platforms turn raw IOC feeds into actionable detection rules, normalizing indicators from multiple sources and adding context about who’s behind the attacks.
Network monitoring tools catch IOCs that endpoint solutions miss, particularly for unmanaged devices and lateral movement.
External IOC Discovery
IOCs tell you what already happened. These approaches help you catch attacks before they happen.
Dark web monitoring for leaked credentials surfaces compromised passwords before attackers can use them. One in three attacks now use valid credentials as the initial access vector (IBM X-Force 2025).
Infostealer channel monitoring tracks marketplaces where malware operators sell stolen data. These logs contain session tokens and browser data that let attackers bypass MFA. Monitoring infostealer channels catches credential theft even when your security tools missed the initial infection.
Threat actor communication tracking monitors forums and Telegram channels where attackers sell stolen data and access. If your company’s data shows up, you’ll know.
The Pyramid of Pain Framework
David Bianco’s Pyramid of Pain prioritizes IOC types by how much they hurt attackers when blocked.
At the base: hash values (trivial to change) and IP addresses/domains (attackers maintain large infrastructure pools). Blocking these barely slows attackers down.
In the middle: network and host artifacts like user agents, file paths, and registry keys. Changing these requires attackers to modify tools, not just swap servers.
At the top: TTPs (tactics, techniques, and procedures). Detecting behavioral patterns forces attackers to completely change their approach. This is maximum pain.
The lesson? Invest more in behavioral detection than static indicators. Hash blocklists help, but detecting attacker behavior provides longer protection.
How Reliable Are IOCs?
IOCs are useful but imperfect. Knowing their limitations keeps you from relying on them too heavily.
Strengths: IOCs provide concrete, shareable evidence. They let you automate detection at scale and integrate easily across security tools. They support threat intelligence sharing and provide historical context for investigations.
Limitations: Static IOCs have short lifespans. Change one byte of a file and you have a new hash. Malware authors automate this, generating unique variants for every target. IP addresses and domains change constantly. False positives create alert fatigue.
Context matters. An IP flagged as malicious might host hundreds of legitimate sites (shared hosting).
IOCs alone aren’t enough. The most effective security programs combine static IOCs for known threats, behavioral detection for new attacks, threat intelligence for adversary context, and dark web monitoring to catch stolen credentials early.
When you find IOCs, how fast you respond controls how much damage attackers can do.
How Should You Respond to Indicators of Compromise?
Finding IOCs is only useful if you act on them. The gap between detection and response decides the outcome.
Incident response activation should happen immediately when high-confidence IOCs appear. Don’t wait for certainty. If you see an active C2 beacon, treat it as confirmed compromise until proven otherwise.
System isolation prevents lateral movement. Disconnect compromised systems without powering them off (preserving forensic evidence). Contain the blast radius while you investigate.
Forensic investigation maps the scope. Which systems were accessed? What data was touched? How did attackers get in? This informs both immediate response and long-term remediation.
Credential reset is often overlooked. If attackers had access, assume they harvested credentials. Reset passwords for accounts that touched compromised systems. Check if those credentials have been leaked to the dark web - if so, the breach may be wider than you think.
Post-incident IOC sharing helps the broader community. Organizations like ISACs facilitate threat intelligence sharing within industries. 84% of organizations now use MITRE ATT&CK for threat hunting (SANS 2025 CTI Survey), actively looking for IOCs rather than waiting for alerts.
Conclusion
Indicators of compromise are still core to security operations, but the approach is shifting. Traditional IOC detection waits for attackers to reach your network. External monitoring catches it earlier.
The numbers tell the story. One in three attacks use valid credentials as the way in. Infostealer malware delivered via phishing is up 84% year over year (IBM X-Force 2025). Waiting for network and host IOCs to appear means accepting months of attacker access while the evidence sits outside your network.
Dark web monitoring changes this equation. When your employees’ credentials appear on criminal marketplaces, you know immediately. When infostealer logs containing session tokens surface, you can invalidate them before attackers use them.
The most effective security programs combine internal IOC detection with external threat intelligence. They monitor both their networks and the criminal underground where attacks originate.
Check your organization’s dark web exposure to find out what attackers might already know about you.
Indicators of Compromise FAQ
Common IOC examples include unusual outbound network traffic and DNS requests to malicious domains. Failed login spikes and unexpected registry changes are common too. Suspicious file hashes and geographic access anomalies round out the list. Each indicator type needs different detection methods.
IOCs reduce breach detection time from months to hours. Without them, attackers operate undetected while stealing your data. The median dwell time is 11 days (Mandiant M-Trends 2025). IOCs also make threat intelligence sharing between organizations possible. This helps entire industries defend against common adversaries.
IOCs have real limitations you should understand. Hash-based IOCs become useless when attackers modify a single byte of malware. IP addresses and domains change constantly. The Pyramid of Pain framework shows basic IOCs are easiest to evade. Behavioral IOCs and TTPs are most reliable. They require attackers to completely change their methods.
The four main cyber threat types are malware (ransomware, trojans, spyware), social engineering (phishing, business email compromise), insider threats (malicious or negligent employees), and advanced persistent threats (nation-state actors running long-term campaigns). Each threat type produces different indicators of compromise you can detect.
Zero-day exploits target vulnerabilities unknown to the software vendor. No patch exists yet. Traditional IOCs struggle with zero-days because there’s no prior malware signature. Behavioral IOCs become critical here. Even new exploits produce detectable patterns like unusual process execution or anomalous network connections.
The three most common IOCs are unusual network traffic patterns (outbound connections to unknown destinations), authentication anomalies (failed logins, impossible travel, privilege escalation), and file-based indicators (suspicious hashes, unexpected executables). These appear across most breach types. You’ll find them regardless of attacker sophistication.
