What are the two types of Indicators of Compromise?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Prepare for the SANS FOR508 Exam. Use flashcards and multiple-choice questions, each with hints and explanations. Maximize your readiness for the test!

Multiple Choice

What are the two types of Indicators of Compromise?

Explanation:
Indicators of Compromise are most effectively understood as artifacts observed in two broad arenas: those on the host and those in the network. Host-based IOCs are artifacts that appear on an endpoint after a compromise—things like file hashes of malicious binaries, unusual startup items, new or modified registry keys, suspicious running processes, or unusual log entries. They reveal what happened directly on the machine that was breached and can help you identify infected hosts even if network traffic is encrypted or obscured. Network-based IOCs, on the other hand, come from observing traffic patterns and communications between systems—known bad IP addresses, malicious domains, DNS query anomalies, beaconing behavior, unusual ports or protocols, and traffic spikes tied to C2 or data exfiltration. These indicators help detect malicious activity by looking at what the compromised system is doing with the network, which can be particularly useful when on-host artifacts are deleted or tampered with. While specific artifacts like files or processes are important, the two overarching categories that best capture IOC usefulness across environments are host-based and network-based indicators. Other options describe particular artifact types or deployment contexts, but they don’t reflect the primary bifurcation defenders use to detect and respond to compromises.

Indicators of Compromise are most effectively understood as artifacts observed in two broad arenas: those on the host and those in the network. Host-based IOCs are artifacts that appear on an endpoint after a compromise—things like file hashes of malicious binaries, unusual startup items, new or modified registry keys, suspicious running processes, or unusual log entries. They reveal what happened directly on the machine that was breached and can help you identify infected hosts even if network traffic is encrypted or obscured.

Network-based IOCs, on the other hand, come from observing traffic patterns and communications between systems—known bad IP addresses, malicious domains, DNS query anomalies, beaconing behavior, unusual ports or protocols, and traffic spikes tied to C2 or data exfiltration. These indicators help detect malicious activity by looking at what the compromised system is doing with the network, which can be particularly useful when on-host artifacts are deleted or tampered with.

While specific artifacts like files or processes are important, the two overarching categories that best capture IOC usefulness across environments are host-based and network-based indicators. Other options describe particular artifact types or deployment contexts, but they don’t reflect the primary bifurcation defenders use to detect and respond to compromises.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy