What is an Indicator of Compromise (IOC) primarily used to describe?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Study for the SANS Advanced Incident Response, Threat Hunting, and Digital Forensics (FOR508) Test. Prepare with comprehensive materials, flashcards, and multiple choice questions with hints and explanations. Ace your exam with confidence!

Multiple Choice

What is an Indicator of Compromise (IOC) primarily used to describe?

Explanation:
Indicators of Compromise are observable artifacts that suggest a system may have been breached. They are described in a precise, standardized way so security personnel and automated tools can act on them. This includes attacker tools and tradecraft expressed in a language that humans and security systems can understand, often using boolean logic to combine indicators and detect malware or intrusions. Examples include malware file hashes, IP addresses, domain names, file names, mutexes, registry changes, and YARA rules, all used to build detections and hunt for threats. The other options don’t fit because they describe metrics or artifacts that aren’t indicators of compromise: network bandwidth statistics are general network metrics, a timeline is a sequence of events, and an incident report template is documentation.

Indicators of Compromise are observable artifacts that suggest a system may have been breached. They are described in a precise, standardized way so security personnel and automated tools can act on them. This includes attacker tools and tradecraft expressed in a language that humans and security systems can understand, often using boolean logic to combine indicators and detect malware or intrusions. Examples include malware file hashes, IP addresses, domain names, file names, mutexes, registry changes, and YARA rules, all used to build detections and hunt for threats.

The other options don’t fit because they describe metrics or artifacts that aren’t indicators of compromise: network bandwidth statistics are general network metrics, a timeline is a sequence of events, and an incident report template is documentation.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy