The Origin of the Term Indicators of Compromise (IOCs)
I am an historian . I practice digital security, but I earned a bachelor's of science degree in history from the United States Air Force Academy. (1) Historians create products by analyzing artifacts, among which the most significant is the written word. In my last post , I talked about IOCs, or indicators of compromise. Do you know the origin of the term? I thought I did, but I wanted to rely on my historian's methodology to invalidate or confirm my understanding. I became aware of the term "indicator" as an element of indications and warning (I&W), when I attended Air Force Intelligence Officer's school in 1996-1997. I will return to this shortly, but I did not encounter the term "indicator" in a digital security context until I encountered the work of Kevin Mandia. In August 2001, shortly after its publication, I read Incident Response: Investigating Computer Crime , by Kevin Mandia, Chris Prosise, and Matt Pepe (Osborne/McGraw-Hill). I ...