Archived Content
In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.Operational Value of Indicators of Compromise White Paper
Most organizations prioritize processing internal information over processing and acting on external Indicators of Compromise (IOCs) feeds. There is a significant debate in the cybersecurity community as to what operational value some IOCs provide to organizations, since threat actors can and do change IOCs routinely to avoid detection. During the State, Local, Tribal, and Territorial IOC Automation Pilot, Johns Hopkins Applied Physics Laboratory discovered that the right question is not if IOCs are operationally valuable, but when.