SOC ALERT INVESTIGATION

🚨 Indicators of Compromise (IOCs)

Learn how security teams discover hidden attacks using digital evidence left behind by attackers.

🚨 SOC Alert #8472

Time:

02:17 AM

Alert:

Suspicious Outbound Connection Detected

No malware found.

No user complaints.

No obvious signs of compromise.

Investigation begins.

📖 What Is An IOC?

An Indicator of Compromise (IOC) is evidence suggesting malicious activity may have occurred.

Evidence
Not Proof

One IOC may be harmless.

Several IOCs together often reveal a larger story.

🕵️ Investigation Board

Suspicious Login
➕ Unknown Process
➕ Strange Network Traffic
➕ New Scheduled Task
⬇️ Potential Compromise

💻 Host-Based IOCs

Evidence found directly on systems:

  • Unknown Processes
  • Unexpected Services
  • New Startup Entries
  • Unauthorized Accounts
  • File Changes
  • Security Tool Tampering

🌐 Network-Based IOCs

Evidence observed on the network:

  • Suspicious Connections
  • Unexpected DNS Requests
  • Unusual Traffic Patterns
  • Data Transfer Spikes
  • Repeated Beaconing Activity

Many compromises are discovered through network monitoring.

👤 User Behavior IOCs

  • Impossible Travel Logins
  • After-Hours Activity
  • Unexpected Privilege Changes
  • Unusual Authentication Patterns

Behavior often exposes attackers even when malware remains hidden.

🎯 Threat Hunter Mindset

Beginners Ask:

“Where is the malware?”

Threat Hunters Ask:

“What Evidence Suggests Something Is Wrong?”

📅 IOC Timeline

Day 1 New Process Appears
Day 2 Unexpected DNS Requests
Day 4 Privilege Change
Day 7 Large Data Transfer
Day 8 Compromise Confirmed

Individually these events may appear normal.

Together they reveal the attack.

🛠 IOC Investigation Toolkit

  • SIEM Platforms
  • Sysmon
  • Wireshark
  • Zeek
  • EDR Solutions
  • Windows Event Viewer
  • Threat Intelligence Platforms

The goal is to collect and correlate evidence from multiple sources.

🔺 The IOC Pyramid Concept

Simple Indicators:

  • IP Addresses
  • Domains
  • File Hashes

Stronger Indicators:

  • Behavior Patterns
  • Tactics
  • Techniques

Behavior is harder for attackers to change.

🏆 Investigation Conclusion

Root Cause:

Multiple indicators pointed to unauthorized activity.

One IOC Is A Clue
Many IOCs Tell The Story

NEXT CHAPTER

🔬 Malware Analysis Fundamentals

Enter the malware analysis lab and learn how analysts safely investigate suspicious files, behaviors, and threats without putting systems at risk.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Comments