What defines an Indicator of Compromise (IOC)?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Study for the SANS Advanced Incident Response, Threat Hunting, and Digital Forensics (FOR508) Test. Prepare with comprehensive materials, flashcards, and multiple choice questions with hints and explanations. Ace your exam with confidence!

Multiple Choice

What defines an Indicator of Compromise (IOC)?

Explanation:
An IOC is a piece of evidence that suggests a system has been compromised. It consists of observable artifacts left by attackers or generated by malicious activity, such as a known malware file hash, a domain or IP associated with a command-and-control server, unusual network patterns, a suspicious registry change, or a rogue process name. IOCs are used to detect intrusions and to bolster investigation by showing that malicious activity occurred or is underway. However, a single indicator isn’t definitive proof on its own; it becomes more compelling when multiple, related indicators align with threat intel and telemetry from the environment. Vulnerability scan results, by contrast, identify weaknesses that could be exploited but do not prove that an attack has happened. A plan to restore systems is a recovery action, not evidence of compromise. A security policy is governance guidance, outlining rules and procedures rather than artifacts of a breach.

An IOC is a piece of evidence that suggests a system has been compromised. It consists of observable artifacts left by attackers or generated by malicious activity, such as a known malware file hash, a domain or IP associated with a command-and-control server, unusual network patterns, a suspicious registry change, or a rogue process name. IOCs are used to detect intrusions and to bolster investigation by showing that malicious activity occurred or is underway. However, a single indicator isn’t definitive proof on its own; it becomes more compelling when multiple, related indicators align with threat intel and telemetry from the environment.

Vulnerability scan results, by contrast, identify weaknesses that could be exploited but do not prove that an attack has happened. A plan to restore systems is a recovery action, not evidence of compromise. A security policy is governance guidance, outlining rules and procedures rather than artifacts of a breach.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy