collecting-indicators-of-compromise

# Collecting Indicators of Compromise ## When to Use - During active incident response to identify and block adversary infrastructure - Post-incident to document all observed adversary artifacts for future detection - When sharing threat intelligence with ISACs, sector partners, or law enforcement - When building detection rules in SIEM, EDR, or network security tools - When enriching IOCs with threat intelligence context for risk scoring **Do not use** for behavioral TTP analysis without accompanying technical indicators; use MITRE ATT&CK mapping for behavioral characterization. ## Prerequisites - Access to incident evidence sources: SIEM logs, EDR telemetry, memory dumps, disk images, network captures - Threat intelligence platform (MISP, OpenCTI, ThreatConnect) for IOC management and sharing - IOC enrichment tools: VirusTotal, OTX (AlienVault Open Threat Exchange), Shodan, DomainTools - STIX 2.1 knowledge for structured IOC representation - Sharing agreements with relevant ISACs (FS-ISAC, H-ISAC, IT-ISAC) or sector partners ## Workflow ### Step 1: Identify IOC Categories Collect indicators across all categories from incident evidence: **Network Indicators:** - IP addresses (C2 servers, staging servers, exfiltration destinations) - Domain names (C2 domains, phishing domains, DGA domains) - URLs (malware download, C2 check-in, exfiltration endpoints) - JA3/JA3S hashes (TLS client/server fingerprints) - User-Agent strings (custom or unusual HTTP headers) - DNS query ...