Importance of IOC Detection Rules

Importance of IOC Detection Rules

What is an Indicator of Compromise (IOC)?

An Indicator of Compromise (IOC) is a piece of information that indicates a potential security breach or cyberattack.

An IOC can be an IP address, domain name, URL, file, registry key, or any other evidence of malicious activity, and it can be found in log files, network traffic, system memory, and other sources. IOCs are important signals that help to identify and mitigate potential threats by providing early warning signs of malicious activities.

IOCs are typically identified by cybersecurity researchers and shared with the cybersecurity community to help in the detection and mitigation of threats.

Are IOC equal to IOA?

An Indicator of Attack (IOA) is a possible indication that an attack is underway or might have already happened. IOAs are based on the tactics, techniques, and procedures (TTPs) used by the attackers.

An IOA can be unusual network traffic, suspicious account activity, and unauthorized system changes, suspicious logins from different geo locations etc. IOAs are not specific artifacts but instead are based on behaviour and patterns of activity.

So, yes, these two types of indicators sound familiar, but they do have different purposes.

The main difference between these indicators is that the IOCs are based on known malicious activity, while IOAs are based on the tactics, techniques, and procedures used by attackers. Also, IOCs are typically reactive, while IOAs are proactive and can identify potential threats before they cause damage.

The IOCs and IOAs are both essential for the Security Operations Center (SOC) and threat intelligence.

The SOC team's daily monitoring of the IOC related alerts in real-time can trigger incident response processes timeously, given that the alerts were confirmed as "true positives". IOC alerts can also be used to identify compromised systems and help incident response teams contain and remediate the threat.

IOAs are critical for identifying potential threats before major compromise and are the main focus of Threat Hunting teams. By identifying the tactics, techniques, and procedures used by attackers, the Threat Hunting team can implement proactive measures to prevent the attacker from realising their objectives.

Why IOCs are important?

Indicators of Compromise (IOCs) are essential because they help security teams detect and prevent the most common cyber-attacks, such as malware infections, phishing attacks, C2C and Botnet communications etc., which can all be identified with the help of IOCs.

Important key features of the IOCs:

  • IOCs can be shared:
IOCs can be shared between security teams using various standardised Threat Intelligence platforms.
  • Improved detection speed:

IOCs can help improve detection accuracy and speed, as well as remediation times. If the SOC team is aware of and can detect an attack more quickly, the impact it will have on business will be decreased.

IOC detection rules:

When we look at the various Threat Intelligence platforms, they have many feeds, providing the latest records of the IOCs reported across the globe. The majority of the IOCs fall into four familiar categories:


Some of the threat intelligence feeds will be dedicated to one type, while others might be covering various other types of IOCs.

Also, it needs to be mentioned that there are open-source and commercial solutions regarding threat intelligence platforms and their feeds. With commercial solutions being more capable of integrating into existing business processes.

The different IOCs are very well explained with the concept of the Pyramid of Pain (PoP):


While looking at the PoP it raises a question:
Why do we need to worry about these IOCs, if the attackers can easily adapt?
There are a few answers to this:

  • Volume:

The bottom three tiers of the PoP represent around 75% of the pyramid’s volume, and this translates into a similar ratio of the real-life number of IOCs that the SOC is receiving from threat intelligence feeds. We cannot simply ignore it and just focus on the top three tiers of the PoP.

  • Capability:

If the SOC cannot reliably detect and deal with 75% of trivial IOCs, it is very unlikely that they will have the capability to detect the other 25% of the more sophisticated IOCs.

The majority of modern SIEM’s today have their own vendor threat intelligence feeds integrated into the SIEM with automated updates of its correlation rules. Some of them are even flexible enough to allow integration of other threat intelligence feeds (open-source and/or commercial).

Dealing with the volume of trivial IOC's requires automation through the implementation of IOC detection rules, which monitor the logs ingested into the SIEM looking for a signature match.

Structure of the IOC detection rule:





Correctly implemented IOC detection rules coupled with automation are necessary to improve the breadth and capability of modern SOC teams. It takes some of the strain off of the SOC analysts and threat hunters, allowing them to focus on the most important IOAs found in the top three tiers of the Pyramid of Pain (PoP).