What is the difference between an IoC and a TTP?

An IoC is a specific, observable artifact of a compromise — a malicious IP, a file hash, a suspicious registry key. A TTP (Tactic, Technique, and Procedure) describes how attackers behave — lateral movement via SMB exploitation, data exfiltration via encrypted channels. IoCs change frequently (attackers rotate infrastructure); TTPs change slowly (attack patterns persist). Behavioral detection based on TTPs is more durable than IoC matching alone.

Definition

IoC (Indicator of Compromise)

Evidence of a security breach, such as malicious network connections, unexpected processes, or unusual communication patterns. IoCs from ORDR asset telemetry enrich SIEM and SOAR investigations.

What is IoC (Indicator of Compromise)?

Evidence of a security breach, such as malicious network connections, unexpected processes, or unusual communication patterns. IoCs from ORDR asset telemetry enrich SIEM and SOAR investigations.

An Indicator of Compromise (IoC) is a piece of forensic data — a network signature, file hash, registry key, IP address, domain name, or behavioral pattern — that suggests a system has been compromised or is being targeted by malicious activity. IoCs are the operational artifacts of threat intelligence: they translate abstract threat knowledge into specific, detectable signals that can be checked against environment telemetry.

Traditional IoCs — malicious file hashes, known C2 IP addresses, suspicious domain names — are well-suited to IT environments where endpoint agents can observe file system activity and process behavior. In IoT and OT environments, many of these IoC types are inapplicable: devices don't have file systems that can be scanned, can't run EDR agents, and don't generate the process-level telemetry that traditional IoC detection relies on.

Network-based IoCs are the primary detection mechanism for IoT and OT devices: connections to known-malicious IP addresses, DNS queries for malicious domains, protocol patterns that match known attack tool signatures, and anomalous communication flows that don't match the device's behavioral baseline. ORDR's integration with threat intelligence feeds enables matching device traffic against network IoCs even for devices that cannot participate in endpoint-based detection.

Key Facts

Network-based IoCs are the only detection mechanism applicable to IoT and OT devices that can't run agents
CISA regularly publishes IoC lists associated with critical infrastructure attack campaigns
IoC-based detection has a high false positive rate when applied without device context for prioritization
Behavioral anomalies that don't match known IoCs are detected by baseline comparison — catching novel attacks that IoC lists miss

How ORDR Addresses IoC (Indicator of Compromise)

ORDR continuously matches device network activity against IoC feeds including CISA alerts, ICS-CERT advisories, and commercial threat intelligence. When a device communicates with a known-malicious indicator, ORDR generates an immediate alert enriched with device context — type, criticality, behavioral history — to support rapid triage. ORDR also exports device telemetry as IoCs to SIEM and SOAR platforms for broader threat hunting.

See ORDR in action

Frequently Asked Questions

Back to Glossary

Complete visibility across your entire attack surface.

ORDR unifies IT, IoT, and OT asset intelligence so your team can see—and act on—what matters most.

REQUEST A DEMO Platform Overview