Hacking Humans Indicators of Compromise (noun) [Word Notes]
Jan 27, 2026
Clear definition of digital traces that show a system or network was breached. A look at early IOC practices like IPs and hashes and why they often failed. How MITRE ATT&CK and TTPs improved prediction by focusing on attacker behavior. An analogy using Sherlock demonstrates how multiple clues combine to reveal the true pattern.
AI Snips
Chapters
Transcript
Episode notes
From Ephemeral Artifacts To Behavior-Based Indicators
- Indicators of compromise evolved from brittle artifact lists to behavior-based TTPs using frameworks like MITRE ATT&CK.
- TTPs tie indicators to adversary behavior, making detection and forecasting of compromises more reliable.
Static IOCs Produce False Positives
- Early IOCs were static items like malicious IPs, URLs, and hashes that produced many false positives.
- Their transience made them ineffective once attackers altered those artifacts.
TTPs Raise Confidence In Attribution
- MITRE ATT&CK introduced TTPs that capture tactics, techniques, and procedures tied to adversary groups.
- Observing multiple TTPs from a group's playbook raises confidence the network has been compromised by that group.