How to Use This Website to Advance Your Career

Find the Right Insurance Designation to Advance Your Career

IOC, TTP, and CVE

Here are three “micro-terms” every insurance professional should know. They show up in breach reports, forensic summaries, underwriting notes, and claims files — and together, they form the vocabulary of modern cyber risk.

  1. IOC — Indicator of Compromise

An IOC is a clue that something bad has happened. Think of it like a footprint at a crime scene: an unusual file, a suspicious IP address, a known malicious domain, or a registry change that shouldn’t exist.

Why it matters:
IOCs help teams confirm an incident and understand what the attacker touched. They’re the “evidence markers” investigators use to reconstruct what happened.

  1. TTP — Tactics, Techniques, and Procedures

TTPs describe how attackers operate — their playbook. They capture the behaviors, patterns, and methods attackers use, and they map directly to the MITRE ATT&CK framework.

Why it matters:
TTPs tell you whether a company can detect real attacker behavior, not just known malware. They reveal whether defenses are tuned to spot how attackers move, not just the tools they use.

  1. CVE — Common Vulnerabilities and Exposures

A CVE is a publicly documented software flaw. Each one has an ID number and a severity score (CVSS) that helps organizations understand how dangerous it is.

Why it matters:
CVE severity helps insurers understand how exposed a company is — and whether they patch quickly. High-severity CVEs left unpatched are one of the strongest predictors of breach likelihood.

⭐ Sidebar: What’s the Difference Between CVE and MITRE ATT&CK?

CVE (Common Vulnerabilities and Exposures)
CVE IDs describe software flaws — specific bugs or weaknesses that attackers can exploit.
They answer the question:
“What’s broken?”

MITRE ATT&CK
ATT&CK technique IDs describe attacker behaviors — the actions hackers take before, during, and after an intrusion.
They answer the question:
“What is the attacker doing?”

How they fit together
A CVE might be the entry point (an unpatched vulnerability).
MITRE ATT&CK describes the moves the attacker makes once inside (credential dumping, lateral movement, process injection, etc.).

In short:
CVE = the vulnerability
ATT&CK = the playbook

Real-World Example: When All Three Come Together

A regional healthcare provider was hit with ransomware. During the investigation, analysts found:

  • IOC: A known malicious IP address communicating with an internal server
  • TTP: The attacker used credential dumping and lateral movement techniques consistent with a well-known ransomware group
  • CVE: The initial entry point was an unpatched VPN vulnerability with a critical CVSS score

Each element told a different part of the story:

  • The CVE explained how the attacker got in
  • The TTPs explained how they moved through the network
  • The IOCs confirmed what systems were touched

For insurers, this combination is powerful. It reveals:

  • Whether the company patched critical vulnerabilities
  • Whether they could detect attacker behavior
  • How quickly they identified and contained the incident

In this case, the unpatched CVE was the root cause — and the claim was both large and preventable.

Literary Parallel

In Sherlock Holmes, Holmes often solves cases by combining three elements: a physical clue, an understanding of the criminal’s methods, and knowledge of past cases. That’s exactly how IOCs, TTPs, and CVEs work together in cybersecurity:

  • IOC: The footprint on the carpet
  • TTP: The criminal’s signature method
  • CVE: The unlocked window that let them in

Holmes never solves a case with just one clue — and neither do cyber investigators.

The Takeaway

These micro-terms show up everywhere in cyber reports and claims. Understanding them helps bridge the gap between technical findings and insurance impact. Together, they explain:

  • How attackers got in (CVE)
  • What they did (TTP)
  • What evidence they left behind (IOC)

They’re small terms — but they tell the big story.

Pop Culture Parallel

If you’ve seen Mr. Robot, the way Elliot pieces together clues from system logs, attacker behavior, and software flaws mirrors exactly how IOCs, TTPs, and CVEs help analysts understand what happened during a real incident.

Previous Episode:
88. Firewall ←

Next Episode:
90. Browser in the Browser (BitB) Attacks →

Related Episodes:
1. MITRE ATT&CK
56. Vulnerability
61. Patching

Browse the Series:
View all Cyber in Plain English episodes →

Cyber Orientation Hub:
Explore the full Cyber Orientation hub →

Learn more at https://insurancedesignationlookup.com/cyber-orientation/
#CyberForInsurance #CyberInPlainEnglish #LettersForSuccess

Thanks for Visiting Us!
Would you mind answering 3 quick questions so we can better serve insurance professionals?

How useful have you found Insurance Designation Lookup to be as a way to explore insurance designation options?

Would anything make it more helpful to you or a colleague?

Would you recommend it to a colleague?