Factsheet Indicators of Compromise

In order to observe malicious digital activities within an organisation, Indicators of Compromise (IoCs) are a valuable asset. With IoCs, organisations can gain quick insights at central points in the network into malicious digital activities. When your organisation observes these activities, it is important to know what you can do to trace back which system is infected. Obtain as much contextual information with an IoC as possible, so that you get a clear picture of what is happening and how serious this is.

It is important to share IoCs between organisations. By doing so, other organisations will be able to defend themselves against similar incidents. With the TLP classification you define with whom information may be shared and how the recipients may or may not share the information further.

This factsheet describes how you can monitor for IoCs within your organisation and which steps you take when an IoC generates a hit. This factsheet also describes how to deal with confidentiality of IoCs and how you can create IoCs yourself.

This document is currently under revision, which means that the document has not been reviewed or changed in the past year. As a result, the content of the document may not be up-to-date. The NCSC intends to update this product in the near future.