Key requirements for the detection and sharing of behavioral indicators of compromise

Antonio Villalón-Huerta, Ismael Ripoll-Ripoll, Hector Marco-Gisbert*

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

34 Downloads (Pure)


Cyber threat intelligence feeds the focus on atomic and computed indicators of compromise. These indicators are the main source of tactical cyber intelligence most organizations benefit from. They are expressed in machine-readable formats, and they are easily loaded into security devices in order to protect infrastructures. However, their usefulness is very limited, specially in terms of time of life. These indicators can be useful when dealing with non-advanced actors, but they are easily avoided by advanced ones. To detect advanced actor’s activities, an analyst must deal with behavioral indicators of compromise, which represent tactics, techniques and procedures that are not as common as the atomic and computed ones. In this paper, we analyze why these indicators are not widely used, and we identify key requirements for successful behavioral IOC detection, specification and sharing. We follow the intelligence cycle as the arranged sequence of steps for a defensive team to work, thereby providing a common reference for these teams to identify gaps in their capabilities.
Original languageEnglish
Article number416
Number of pages20
Issue number3
Publication statusPublished - 29 Jan 2022
Externally publishedYes


  • cyber threat intelligence
  • indicator of compromise
  • IOC
  • TTP
  • CK


Dive into the research topics of 'Key requirements for the detection and sharing of behavioral indicators of compromise'. Together they form a unique fingerprint.

Cite this