Indicators of Compromise (noun) [Word Notes] - Hacking Humans

Summary3 min read

Hacking Humans – "Indicators of Compromise (noun)" [Word Notes]

Host: Rick Howard (N2K Networks)
Date: January 27, 2026
Theme: Deception, Influence, and Social Engineering in Cyber Crime

Episode Overview

This episode of "Hacking Humans: Word Notes" explores the term "Indicators of Compromise" (IoCs)—a foundational concept in cybersecurity. Rick Howard traces the history, evolution, and modern application of IoCs, illustrating their critical role in cyber defense and their relationship to adversary behaviors, culminating in an engaging nerd reference to Sherlock Holmes.

Key Discussion Points & Insights

1. What are Indicators of Compromise?

Definition:
"Digital evidence that a system or network has been breached."
(Rick Howard, [01:38])
Example:
"The indicators of compromise alerted the organization that an adversary was inside the network."

2. Early Use of IoCs

Before 2010, practitioners relied on static "technical lists" such as:
- Malicious IP addresses
- URLs
- MD5 hashes of malware
- Known-bad domains
Problem:
These were "passive," unconnected lists of artifacts, often leading to false positives. Hackers could easily change them, rendering defensive actions obsolete quickly.
(Rick Howard, [02:00])

"They were just lists of odds and ends, big collections of digital artifacts to block and to watch out for... By the time infosec teams deployed countermeasures, the bad guys had likely already changed their behavior."
— Rick Howard ([02:28])

3. The MITRE ATT&CK Framework’s Impact

Released in 2013, this framework built upon the Lockheed Martin Kill Chain model.
IoCs now extended to include:
- TTPs: Tactics (the why), Techniques (the how), and Procedures (specific implementations).
TTPs are tied to adversary group behaviors, less ephemeral than old indicators, and more useful in designing effective cyber defenses.

"With these more useful TTPs, network defenders can forecast a confidence level of how likely their network has been compromised by a specific attack sequence."
— Rick Howard ([03:15])

4. Operationalizing TTPs: Example with 'Mole Rats' Hacker Group

According to Tidal (a company operationalizing MITRE ATT&CK), 'Mole Rats' uses 17 TTPs.
Observing one TTP (e.g., forged Microsoft code signing certificates) isn’t enough for high confidence—many groups use that technique.
Multiple observed TTPs (e.g., 15 out of 17) strongly indicate adversary presence:

"If network defenders observe one of them... chances that the hackers behind the mole rat's attack sequence are quite low. But if... 15 of the 17 mole rat TTPs, then the chances are high that the hackers... have compromised your network."
— Rick Howard ([04:00])

Notable Quotes & Memorable Moments

The Sherlock Holmes Analogy:

Rick Howard draws a parallel between analyzing IoCs in cyber defense and Sherlock Holmes analyzing indicators at a crime scene, using a scene from the BBC's "Sherlock" ([04:40] to [06:07]):

"Sherlock lays out all the indicators of compromise to a detective and to Watson about why the victim was murdered and didn’t commit suicide—mainly because he was left handed and they found the bullet hole in the right temple." — Rick Howard ([04:40])

Direct Scene Excerpt:

Sherlock (Peter Kilpe): "You've got a solution that you like, but you're choosing to ignore anything you see that doesn't comply with it. Like the wound's on the right side of his head and Van Koom is left handed..." ([05:22])
Sherlock continues to list left-handed habits as IoCs, leading to his conclusion of murder over suicide.
"Conclusion: someone broke in here and murdered him. Only explanation of all of the facts."
— Sherlock (Peter Kilpe, quoting Benedict Cumberbatch as Sherlock), ([05:53])

Important Segment Timestamps

[01:38] – Introduction and definition of Indicators of Compromise
[02:00-03:00] – Early usage and challenges of IoCs in cybersecurity
[03:20-04:10] – MITRE ATT&CK, TTPs, and modern IoC applications
[04:12-04:45] – 'Mole Rats' case study and the importance of linked TTPs
[04:40-06:07] – Sherlock Holmes "nerd reference" and the analogy to IoCs

Overall Insights

Indicators of Compromise have evolved—from static, easily evaded lists, to dynamic, behavior-linked intelligence through frameworks like MITRE ATT&CK.
Effective cyber defense is now about recognizing and correlating multiple, meaningful behaviors—much like a detective assembling scattered clues to reveal the true story.

Host: Rick Howard
Quote Attribution: Timestamps and speaker names indicated throughout for clarity.

Loading summary

Transcript11 lines

[00:02]
Dave Bittner
You're listening to the Cyberwire Network powered by N2K. If securing your network feels harder than it should be, you're not imagining it. Modern businesses need strong protection, but they don't always have the time, staff or patience for complex setups. That's where Nord layer comes in. Nordlayer is a toggle ready network security platform built for businesses. It brings VPN access control and threat protection together in one place. No hardware, no complicated configuration. You can deploy it in minutes and be up and running in less than 10. It's built on zero trust principles so only the right people can get access to the right resources. It works across all major platforms scales easily as your teams grow and integrates with what you already use and and now Nordlayer goes even further through its partnership with CrowdStrike, combining NordLayer's network security with Falcon Endpoint protection for small and mid sized businesses. Enterprise grade security made manageable Try Nordlayer risk free and get up to 22% off yearly plans plus an extra 10% with the code CYBERWIRE10. Visit nordlayer.com cyberwire daily to learn more.
[01:39]
Rick Howard
The word is Indicators of Compromise. Spelled indicators as in signs of activity and of compromise as in an intrusion. Definition. Digital evidence that a system or network has been breached. Example sentence the indicators of compromise alerted the organization that an adversary was inside the network. Origin and context in order to block bad guy activity or detect that a bad guy is in your network. Security practitioners have used the concept of indicators of compromise since the Internet was Young. Prior to 2010, they relied on technical lists of known bad guy things like malicious IP addresses or URLs, MD5, hashes of known bad guy, malicious code and known bad guy domains, just to name a few. They were passive and had no connection to the sequence of steps that hackers have to take to be successful. They were just lists of odds and ends, big collections of digital artifacts to block and to watch out for, and were prone to false positives. These low resolution indicators are not bad per se, but they are ephemeral and hackers can easily change them at the drop of a hat and do. By the time infosec teams deployed countermeasures, the the bad guys had likely already changed their behavior. In 2013, MITRE released the first version of the MITRE, ATT and CK framework that, among other things, expanded the original concept of the Lockheed Martin Kill chain paper. They added ttps, the tactics, the why, the techniques used, the how, and the specific implementation procedures the adversary group used to deploy the tactic that intelligence is not as Ephemeral is tied to known adversary group behavior and is conducive to designing impactful countermeasures. With These more useful TTPs, network defenders can forecast a confidence level of how likely their network has been compromised by a specific attack sequence. For example, according to Tidal, a company that operationalizes MITRE attack intelligence, the Middle east hacker group called mole rats uses 17 TTPS in their adversary playbook. If network defenders observe one of them, say, forged Microsoft code signing certificates in malware, then the chances that the hackers behind the mole rat's attack sequence are quite low. Many hacker groups use that technique. It's only one indicator of compromise out of a possible 17. But if those same network defenders observe 15 of the 17 mole rat TTPS, then the chances are high that the hackers behind the mole rat's attack sequence have compromised your network. Nerd reference in the fabulous BBC retelling of the Sherlock Holmes story, Benedict Cumberbatch played Sherlock and Martin Freeman played the sidekick Dr. John Watson from 2010 to 2017. In this classic murder scene setting, Sherlock lays out all the indicators of compromise to a detective and to Watson about why the victim was murdered and didn't commit suicide. Mainly because he was left handed by and they found the bullet hole in the right temple.
[05:22]
Peter Kilpe
We're obviously looking at a suicide. That does seem the only explanation of all the facts. Wrong, it's one possible explanation of some of the facts. You've got a solution that you like, but you're choosing to ignore anything you see that doesn't comply with it. Like the wound's on the right side of his head and Van Koom is left handed. Requires quite a bit of contortion.
[05:40]
Dave Bittner
Left handed?
[05:40]
Peter Kilpe
I'm amazed you didn't notice. All you have to do is look around this flat. Coffee table on the left hand side, coffee mug handle pointing to the left. Power sockets habitually use the ones on the left. Pen and paper on the left hand side of the phone because you picked it up with the his right and took down messages with his left.
[05:52]
Rick Howard
You want me to go on?
[05:53]
Peter Kilpe
No, I think you've come in. I might as well. I'm almost at the bottom of the list. There's a knife on the breadboard with butter on the right side of the blade because he used it with his left. It's highly unlikely that a left handed man would shoot himself in the right side of his head. Conclusion someone broke in here and murdered him. Only explanation of all of the facts.
[06:07]
Rick Howard
But the gun.
[06:07]
Peter Kilpe
He was waiting for the killer. He'd been threatened.
[06:17]
Rick Howard
Wordnotes is written by Tim Nodar, executive produced by Peter Kilpe and edited by John Petro. Shrinking Me Rick Howard the mix, sound design and original music have all been crafted by the ridiculously talented Elliot Peltzman. Thanks for listening. Foreign.
[06:53]
Dave Bittner
If you only attend one cyber security conference this year, make it RSAC 2026. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of expert insights, hands on learning and real innovation. I'll say this plainly, I never miss this conference. The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today@rsaconference.com cyberwire26. I'll see you in San Francisco. When it comes to mobile application security, good enough is a risk. A recent Survey shows that 72% of organizations reported at least one mobile application security incident last year, and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsquare.com. foreign. Attackers don't go through your tools, they go around them. In our interview with Jared Atkinson, CTO at Spectrops, he reveals how attackers look to exploit our identities, steal tokens, and quietly snowball their access across Active Directory, cloud apps and GitHub. We talk through attack paths, why least privilege keeps failing, and how one misconfiguration can hand over the keys to your organization. Want to see risk as attackers do? Then check out the full interview now on thecyberwire. Com. Spectrops.