![Indicators of Compromise (noun) [Word Notes] - Hacking Humans cover](/_next/image?url=https%3A%2F%2Fmegaphone.imgix.net%2Fpodcasts%2Ff4681d62-f879-11f0-a0ef-a30dd5f421ac%2Fimage%2F441b0ca2db080b93b935568d381ce462.png%3Fixlib%3Drails-4.3.1%26max-w%3D3000%26max-h%3D3000%26fit%3Dcrop%26auto%3Dformat%2Ccompress&w=1200&q=75)
Hacking Humans – "Indicators of Compromise (noun)" [Word Notes]
Host: Rick Howard (N2K Networks)
Date: January 27, 2026
Theme: Deception, Influence, and Social Engineering in Cyber Crime
Episode Overview
This episode of "Hacking Humans: Word Notes" explores the term "Indicators of Compromise" (IoCs)—a foundational concept in cybersecurity. Rick Howard traces the history, evolution, and modern application of IoCs, illustrating their critical role in cyber defense and their relationship to adversary behaviors, culminating in an engaging nerd reference to Sherlock Holmes.
Key Discussion Points & Insights
1. What are Indicators of Compromise?
- Definition:
"Digital evidence that a system or network has been breached."
(Rick Howard, [01:38]) - Example:
"The indicators of compromise alerted the organization that an adversary was inside the network."
2. Early Use of IoCs
-
Before 2010, practitioners relied on static "technical lists" such as:
- Malicious IP addresses
- URLs
- MD5 hashes of malware
- Known-bad domains
-
Problem:
These were "passive," unconnected lists of artifacts, often leading to false positives. Hackers could easily change them, rendering defensive actions obsolete quickly.
(Rick Howard, [02:00])"They were just lists of odds and ends, big collections of digital artifacts to block and to watch out for... By the time infosec teams deployed countermeasures, the bad guys had likely already changed their behavior."
— Rick Howard ([02:28])
3. The MITRE ATT&CK Framework’s Impact
-
Released in 2013, this framework built upon the Lockheed Martin Kill Chain model.
-
IoCs now extended to include:
- TTPs: Tactics (the why), Techniques (the how), and Procedures (specific implementations).
-
TTPs are tied to adversary group behaviors, less ephemeral than old indicators, and more useful in designing effective cyber defenses.
"With these more useful TTPs, network defenders can forecast a confidence level of how likely their network has been compromised by a specific attack sequence."
— Rick Howard ([03:15])
4. Operationalizing TTPs: Example with 'Mole Rats' Hacker Group
-
According to Tidal (a company operationalizing MITRE ATT&CK), 'Mole Rats' uses 17 TTPs.
-
Observing one TTP (e.g., forged Microsoft code signing certificates) isn’t enough for high confidence—many groups use that technique.
-
Multiple observed TTPs (e.g., 15 out of 17) strongly indicate adversary presence:
"If network defenders observe one of them... chances that the hackers behind the mole rat's attack sequence are quite low. But if... 15 of the 17 mole rat TTPs, then the chances are high that the hackers... have compromised your network."
— Rick Howard ([04:00])
Notable Quotes & Memorable Moments
The Sherlock Holmes Analogy:
Rick Howard draws a parallel between analyzing IoCs in cyber defense and Sherlock Holmes analyzing indicators at a crime scene, using a scene from the BBC's "Sherlock" ([04:40] to [06:07]):
"Sherlock lays out all the indicators of compromise to a detective and to Watson about why the victim was murdered and didn’t commit suicide—mainly because he was left handed and they found the bullet hole in the right temple." — Rick Howard ([04:40])
Direct Scene Excerpt:
Sherlock (Peter Kilpe): "You've got a solution that you like, but you're choosing to ignore anything you see that doesn't comply with it. Like the wound's on the right side of his head and Van Koom is left handed..." ([05:22])
Sherlock continues to list left-handed habits as IoCs, leading to his conclusion of murder over suicide.
"Conclusion: someone broke in here and murdered him. Only explanation of all of the facts."
— Sherlock (Peter Kilpe, quoting Benedict Cumberbatch as Sherlock), ([05:53])
Important Segment Timestamps
- [01:38] – Introduction and definition of Indicators of Compromise
- [02:00-03:00] – Early usage and challenges of IoCs in cybersecurity
- [03:20-04:10] – MITRE ATT&CK, TTPs, and modern IoC applications
- [04:12-04:45] – 'Mole Rats' case study and the importance of linked TTPs
- [04:40-06:07] – Sherlock Holmes "nerd reference" and the analogy to IoCs
Overall Insights
- Indicators of Compromise have evolved—from static, easily evaded lists, to dynamic, behavior-linked intelligence through frameworks like MITRE ATT&CK.
- Effective cyber defense is now about recognizing and correlating multiple, meaningful behaviors—much like a detective assembling scattered clues to reveal the true story.
Host: Rick Howard
Quote Attribution: Timestamps and speaker names indicated throughout for clarity.