Factsheet Indicators of Compromise

In order to observe malicious digital activities within an organisation, Indicators of Compromise (IoCs) are a valuable asset. With IoCs, organisations can gain quick insights at central points in the network into malicious digital activities. When your organisation observes these activities, it is important to know what you can do to trace back which system is infected. Obtain as much contextual information with an IoC as possible, so that you get a clear picture of what is happening and how serious this is.

It is important to share IoCs between organisations. By doing so, other organisations will be able to defend themselves against similar incidents. With the TLP classification you define with whom information may be shared and how the recipients may or may not share the information further.

This factsheet describes how you can monitor for IoCs within your organisation and which steps you take when an IoC generates a hit. This factsheet also describes how to deal with confidentiality of IoCs and how you can create IoCs yourself.

This publication is no longer actively maintained by the NCSC. The information in this publication may therefore be out of date.