What is an Indicator of Compromise (IOC) primarily used to describe?

• A. Describes attacker tools and tradecraft using a precise language that can be understood by both humans and security tools, often including Boolean expressions to identify malware.
• B. Network bandwidth usage statistics during an attack
• C. The game's timeline of an attack
• D. A general incident report template

Answer: (A)

Indicators of Compromise are observable artifacts that suggest a system may have been breached. They are described in a precise, standardized way so security personnel and automated tools can act on them. This includes attacker tools and tradecraft expressed in a language that humans and security systems can understand, often using boolean logic to combine indicators and detect malware or intrusions. Examples include malware file hashes, IP addresses, domain names, file names, mutexes, registry changes, and YARA rules, all used to build detections and hunt for threats.

The other options don’t fit because they describe metrics or artifacts that aren’t indicators of compromise: network bandwidth statistics are general network metrics, a timeline is a sequence of events, and an incident report template is documentation.