0 / 10 flipped
Indicator of Compromise (IoC)
Tap to reveal
Observable evidence providing high-confidence indication that a breach has occurred or is in progress. Not a general anomaly β an IoC is specific enough to conclude that an attacker likely has access. The defining phrase: "He's calling from inside the house." Examples: changed file hash values, impossible travel events, data published online. IoCs drive incident response: detection β investigation β containment. Confidence distinguishes IoCs from threat indicators: a threat indicator says "this might be bad"; an IoC says "this is bad."
Account Lockout (IoC)
Tap to reveal
An account the legitimate user did not lock is locked β indicating unauthorized login attempts against that account. Two forms: threshold-based lockout (N failed attempts β brute force IoC) and administrative disablement (someone with management access disabled it β insider threat or compromised admin IoC). Critical attack chain: lock account β call help desk impersonating the user β social engineer a password reset β log in with new credential. Defense: require out-of-band identity verification (manager approval, callback, in-person ID) for all password resets β never reset based on phone caller's self-reported identity.
Impossible Travel
Tap to reveal
Authentication IoC: same account logs in from two locations whose geographic distance cannot be covered in the time between the two logins. Detection logic: geolocate both source IPs β compute great-circle distance β divide by time delta β if implied velocity exceeds commercial aviation speed (~900 km/h), the event is flagged. Classic exam example: login from Omaha, Nebraska β 3 minutes later, login from Melbourne, Australia (14,000 km, 3 min = 282,000 km/h implied velocity). SIEM and identity providers implement this as a built-in automated rule. Response: terminate the suspicious session and force a password reset with verified identity.
Concurrent Session Usage
Tap to reveal
Same account simultaneously active from multiple locations that cannot both represent the same user. Unlike impossible travel (sequential logins with an impossible time gap), concurrent sessions are active at the same time. Detection is nuanced β legitimate concurrent sessions exist (work laptop + phone + home desktop). IoC threshold is crossed when session origins cannot all be the user's known devices, particularly for privileged accounts. Investigation: cross-correlate active sessions against the user's known device inventory. An admin account with two concurrent interactive sessions from different continents with no business justification is high-confidence credential compromise.
Blocked Content (IoC)
Tap to reveal
An attacker persistence mechanism: after gaining access, the compromised system is modified to block connections to security update endpoints, preventing patches from arriving and antivirus signatures from updating. Blocked targets: Windows Update, OS patch servers, AV vendor update servers (Symantec, CrowdStrike, Defender), anti-malware tool download sites, removal tool repositories. Common implementation: hosts file poisoned to redirect update domains to 127.0.0.1 (localhost), making them unreachable. Detection pattern: system can reach general internet but consistently fails to reach security-specific domains β a very targeted and suspicious failure pattern.
Resource Consumption (IoC)
Tap to reveal
Every attacker action produces a measurable system or network effect. Most significant: unexplained bandwidth spikes during off-hours caused by data exfiltration. A 47 GB outbound transfer from an internal database server to an unknown IP at 3 AM has no legitimate business explanation. Other forms: elevated CPU (cryptomining malware), excessive file read activity (data staging), unusual memory consumption (fileless malware). Key operational fact: the bandwidth spike is often the first visible IoC even when the compromise began weeks earlier. Forensic reconstruction should work backward from the detected spike to identify the initial access point months before.
Resource Inaccessibility (IoC)
Tap to reveal
System unavailability as a direct consequence of attacker activity. Four patterns: server crash (exploit attempt caused unhandled exception β the attack itself crashed the server); network disruption (attacker saturating bandwidth during exfiltration, or deliberate distraction); file encryption (ransomware payload activated β high-confidence critical IoC); mass account lockouts (active brute force or spraying campaign). The distraction pattern is especially important for exam: attackers deliberately create a visible disruption in one network area to draw incident response away from the actual compromise occurring elsewhere.
Out-of-Cycle Logging
Tap to reveal
Administrative activity recorded in logs at unexpected times β outside established operational schedules. In managed environments, patches deploy on scheduled maintenance windows, accounts are created during business hours, backups run on fixed overnight schedules. A patch installation log entry at 4:30 AM on a Monday when maintenance windows run Saturday nights is anomalous. Attackers with admin access operate on their own timeline, not the organization's. The most counterintuitive form: an attacker may patch the vulnerability they used to gain entry to keep competing attackers (and security teams) from using the same path β protecting their own access. SIEM temporal anomaly rules detect activity outside expected windows.
Missing Logs
Tap to reveal
Gaps in log files where entries should exist β caused by attackers deleting log evidence of their actions. Authentication logs, firewall logs, file access logs, proxy logs, and server application logs are all forensic evidence. Their absence is itself a high-confidence IoC: "no evidence of compromise" is not the same as "evidence of no compromise." Defense architecture: forward logs in real time to a write-protected SIEM the compromised host cannot reach β the attacker can delete local logs but cannot touch the remote copy. Alert trigger: configure volume alerts to fire when expected events per hour drops to zero β both service failure and log deletion produce the same symptom and both require investigation.
Published/Documented Data
Tap to reveal
Organizational data appearing publicly online β often the first indication the organization receives that a breach occurred. Three common paths: double extortion ransomware (exfiltrate data, encrypt systems, demand payment for decryption key + threaten publication); direct publication (reputational damage or ideological attack β no payment demanded, data simply released); dark web sale (credentials or data sold underground, then surface publicly when buyer publishes). External detection services: dark web monitoring, Have I Been Pwned, threat intelligence feeds. When published data is the first IoC, the breach began long before publication β forensic timeline must work backward by months, not days.