Indicators of compromise (IOCs) signal a potential security breach, acting as digital evidence of suspicious activity within a system or a network. By providing the context that computer security incident response teams (CSIRTs) need, IOCs help businesses neutralize attacks swiftly. This digital forensic data can also come in handy during post-event analysis to pinpoint the root cause of the breach and help teams strategize precautionary measures to prevent similar attacks in the future.
Remember: Threat actors are always improving their techniques—honing the use of automation, diverse attack vectors, artificial intelligence, and sophisticated invasion techniques—to infiltrate software systems undetected and achieve their malicious goals. IBM’s Cost of a Data Breach report from 2024 says that the global average cost of a data breach has gone up by 10% from the previous year to $4.88 million, which is the highest total ever. The big lesson here? It’s better to look out for IOCs and take precautions to identify and mitigate threats at their beginning stages than to deal with attacks after the incidents escalate.
IOCs vs. IOAs
IOCs are inherently reactive, meaning that an attack has most likely taken place already. Once an IOC is identified, CSIRTs are often playing catch-up. On the other hand, indicators of attack (IOAs) are more proactive, focusing on the tactics, techniques, and procedures (TTPs) a threat actor leveraged so that InfoSec teams can intervene and prevent damages while an attack is in progress.
In other words, IOCs are just one component of a broader security strategy, making it important to monitor both IOCs and IOAs for more efficient threat detection.
Types of IOCs
Organizing IOCs into different categories based on the type of evidence they provide and where they’re observed can help security teams identify threats at different stages of an attack. Here are some key types of IOCs:
1.File-based IOCs are attached to the file system in the host environment and give clues that something might be wrong. Common types of file-based IOCs include hash values (MD5, SHA256), unauthorized file modifications, and malicious scripts or droppers. Suppose a file’s hash matches a known malware signature.
In such a case, it’s a strong indicator that something suspicious is going on. File-based IOCs can be tracked using endpoint detection and response (EDR) software and sandboxing tools. EDR solutions continuously monitor endpoint devices within a network for suspicious activity, while sandboxing tools create isolated environments for your security teams to quarantine and analyze malicious files without risking infecting the main system.
2. Network-based IOCs are anomalies detected in the traffic flow. Common types include:
Data exfiltration: Malware and/or an attacker intentionally transferring unauthorized data from an information system
Command-and-control activities: Methods an attacker uses to remotely control a compromised system
Malicious communication with external entities, including known malicious IP addresses
Unusual domain queries
Unusual port scanning activity
Network monitoring tools like intrusion detection systems (IDSs), network behavior anomaly detection (NBAD), and security information and event management (SIEM) systems help monitor and pick up these signs.
3. Host-based IOCs are system-level anomalies on your workstation or server. Common host-based IOCs include privilege escalation attempts, unexpected changes to registry keys or system configuration settings, and unusual process executions.
These IOCs are typically tracked using EDR, extended detection and response (XDR), and other endpoint security solutions. XDR solutions offer even more coverage than EDRs by incorporating telemetry from multiple security layers (networks, email, cloud resources, and endpoint devices) to provide a holistic view of an attack.
4. Behavioral IOCs are patterns of user and system activity that tend to deviate from normal operations. Pinpointing them relies on observing unusual behaviors that might suggest a breach. For instance, repeated failed logins or brute force attempts, suspicious activity in privileged accounts, numerous requests for the same file, high CPU or RAM usage, requests for unauthorized sensitive data, and logins at unusual times or from unusual locations are warning signs.
User monitoring tools, such as user and entity behavior analytics (UEBA) solutions, help detect the presence of behavioral IOCs. By analyzing user behaviors and flagging anomalies, UEBA helps identify deviations that could signal security threats.
In addition to the four main types, there are others, such as atomic IOCs. These IOCs, including IP addresses and file hashes, represent low-context but quick-to-detect evidence that can help catch early signs of compromise—especially useful in cloud environments where deep host visibility is limited. While atomic IOCs provide limited context on their own, they remain foundational to threat intelligence sharing and are critical in high-velocity detection pipelines—particularly for detecting known threats across large-scale cloud environments.
Gauging the severity of IOCs
Not all IOCs are considered equal. In 2014, cybersecurity expert David Bianco introduced a conceptual model known as the Pyramid of Pain, which illustrates various types of IOCs and the relative impact they have on an attacker’s operational capabilities.
As the pyramid shows, file-based IOCs (like hash values) are low priority because when attackers change or recompile the code, hashes become ineffective. As you ascend, indicators such as IP addresses and domains require more planning to modify but are still feasible to replace. At the peak of the pyramid are adversary TTPs, which are complex behavioral indicators requiring significant effort to change, making them highly useful for security teams.
While many tools focus on detecting lower-value indicators like file hashes or IP addresses, Wiz Defend goes further, surfacing higher-value signals like adversary TTPs, suspicious identity behaviors, and anomalous API activity—making it significantly harder for attackers to evade detection.
Information gathered from monitoring different types of IOCs and their severity is invaluable for threat detection and response (TDR). And sharing this information with other organizations through threat intel feeds like the Wiz Cloud Threat Landscape can help strengthen collective defenses to stay ahead of emerging threats.
Cloud-specific IOCs
The unique attributes of cloud environments make traditional IOCs less effective. Because cloud service providers handle much of the infrastructure security within the shared responsibility model, security teams have less access to file- and host-based indicators. The end result? Cloud threat hunting primarily relies on monitoring atomic IOCs and behavioral IOCs that are specific to cloud environments. Key cloud-specific IOCs include:
Unauthorized use of cloud credentials: Attackers often attempt to steal cloud API keys and IAM credentials, such as AWS access keys, to gain unauthorized access. Once credentials are compromised, threat actors conduct reconnaissance on the permissions assigned to the affected identity and may create their own cloud keys to maintain persistent access.
Sudden spikes in resource utilization: Unexpected CPU, memory, or storage usage spikes might be signaling a cloud cryptojacking or a denial-of-service (DoS) attack. For example, in CVE-2023-22527, a vulnerability in Confluence Data Center and Server was exploited to deploy crypto-mining malware, which severely degraded system performance.
Misconfigured storage buckets or open databases: Publicly exposed S3 buckets, unprotected Azure Blob Storage, and open MongoDB instances frequently lead to data breaches. Exposed access keys, excessive account permissions, unrestricted outbound access, and poor public access configuration can be counted under common misconfigurations that often cause these breaches. For example, CVE-2021-32717 was a high-severity vulnerability that made private files stored on Amazon AWS publicly accessible due to misconfigured storage visibility settings.
Suspicious API calls or elevated permissions granted to unknown users: Attackers may exploit cloud APIs to gain administrative access or modify security configurations. That’s why anomalous API requests from a single user identity that deviate from typical usage patterns or an unknown entity granting itself elevated permissions can serve as a strong indicator of a potential threat.
Challenges detecting cloud IOCs
Unlike in traditional on-premises environments, cloud defenders often face a unique set of challenges when setting up defenses and detecting IOCs in a cloud environment. For instance…
Ephemeral infrastructure makes it harder to track malicious activity over time because cloud workloads frequently spin up and terminate automatically.
Autoscaling might obscure attack patterns and make it harder to differentiate between potential compromise and legitimate high-usage periods.
If teams don’t understand who is responsible for what under the shared responsibility model, there might be gaps in security coverage.
Agent-based telemetry is often unavailable or impractical in many cloud-native environments, making it harder to capture host-level activity such as file or process-level indicators.
Multi-tenant environments can increase the risk of lateral movement between tenants.
To address these challenges, tools such as Amazon GuardDuty and Microsoft Defender for Cloud offer enhanced visibility into cloud-specific IOCs. Platforms like Wiz Defend are purpose-built to surface these types of behavioral and atomic IOCs in real time, helping teams detect threats that often evade traditional EDR or SIEM tooling–especially in cloud-native environments where host-level visibility is limited.
IOCs in action: Real-world threat scenarios
Case 1 - JINX-2401: LLM hijacking in AWS
Wiz researchers uncovered an attack by a threat actor called JINX-2401. The attacker attempted to hijack LLMs across multiple AWS environments using compromised IAM user access keys to access cloud accounts and invoke Bedrock models. Wiz identified the threat by monitoring several IOCs, including the creation of IAM users with policies granting Bedrock permissions and the use of Proton VPN IP addresses. Wiz also detected behavioral patterns of LLM abuse techniques involving IAM usernames and policies. These IOCs proved essential for cross-environment threat detection.
Case 2 - Diicot threat group malware campaign
Wiz Research uncovered a new campaign by the Diicot threat group targeting Linux users. Diicot’s malware can detect the environment it’s running in, and in a non-cloud setup, it gets right into deploying crypto mining payloads. In a cloud environment, on the other hand, it prioritizes spreading into other hosts.
The IOCs, file paths, and codes included Romanian words like brute-retea (“brute-force”) and așteaptă (“wait”), indicating that the attackers were Romanian-speaking individuals. Also, several payloads were discovered on the machine, including files named Update (the primary payload, including the logic to spread to other targets), cache (a reverse shell that gives the attacker remote control), and abc123 (a crypto mining payload for non-cloud environments).
End-to-end visibility with Wiz
While open-source tools like Velociraptor and OpenVAS can help identify indicators of compromise, it’s important to prioritize a comprehensive solution. Wiz Defend comes with added features and built-in detection rules that incorporate both behavioral and atomic IOCs. These indicators are gathered from various threat intelligence sources, such as Wiz Research’s threat-hunting efforts and other private and public threat reporting.Wiz Defend also supports custom detection rules and automated threat storylines—allowing teams to tailor detections to their specific cloud environment and quickly visualize the full context and progression of an attack.
Unlike traditional detection tools, Wiz Defend leverages a unified cloud graph to connect the dots across identities, configurations, workloads, and network activity—making IOC detection smarter, faster, and more contextual.
TL;DR? With its cloud-first approach, built-in threat intelligence, and powerful behavioral analytics, Wiz helps you detect and respond to incidents before they escalate.
Sign up for a personalized demo today to see how Wiz can supercharge your threat detection strategy.