IoC: What are Indicators of Compromise?
Indicators of Compromise is a frequently used term used by cyber security practitioners. Indicators are the evidence that lead IT security professionals to believe a cyber security event could be underway or in progress, aka protection controls might be getting compromised.
You can think of IOCs as the breadcrumbs which can lead an organization to uncovering suspicious activities on a system or network. IoCs give valuable information about what has happened but can also be used to prepare for the future and prevent against similar attacks. These pieces of forensic data help IT security practitioners identify data breaches, malware infections, and other security threats. Monitoring all activity on a network to understand potential indicators of compromise can allow for early detection of malicious activity and breaches.
Unusual activity can be flagged as an IOC indicating a potential threat. Unfortunately, these red flags are not usually that easy to detect. These IOCs can range from as simple as metadata elements to incredibly complex malicious code and content stamps that slip through the cracks. When a cyber event takes place, traces of its activity can be left in system and log files. These IoCs present the activity on your network that you may not otherwise be able to see in real-time and that could suggest potentially malicious activity is taking place. Security Analysts have to have a good understanding of what are the current normal or expected activities for a given network – then, they have to identify various IOCs to look for correlations that piece together to signify a potential threat.
In addition to Indicators of Compromise, there are also Indicators of Attack. Indicators of Attack are very similar to IOCs, but instead of identifying a compromise that’s potential or in progress, these indicators point to an attacker’s activity while an attack is in process.
The key to both IOCs and IOAs is being proactive. security technologies use known indicators of compromise, such as a virus signature, to proactively guard against evasive threats. Indicators of compromise can also be used in heuristic analysis. Early warning signs are hard to decipher but good understanding with proper analysis by experienced cyber security practitioners avails a business the best chance at protecting their network
Examples of Indicators of Compromise /
What Do Indicators of Compromise Look Like?
Here are some of the more common examples of IoCs in operation:
1. Unusual Outbound Network Traffic
Maybe one of the most common telltale signs is anomalies in network traffic patterns and volumes. Traffic inside the network, though often overlooked, can be the biggest indicator letting IT security professionals know something isn’t quite right. If the outbound traffic increases heavily or simply isn’t typical, you could have a problem. Fortunately, traffic inside your network is easier to monitor, and compromised systems will often have visible traffic before any real damage is done to the network. The best approach is to monitor all activity on your network - both inbound and outbound.
2. Geographic Irregularities
If you have ever received notification from your service provider warning you that your mailbox has been accessed from another country, you will understand what a geographical irregularity is. Irregularities in log-ins and access from an unusual geographic location from any account is useful evidence that attackers are infiltrating the network from far away. If there is traffic with countries you don’t do business with, that is a huge red flag and should be followed up on immediately. Fortunately, this is one of the easier indicators to identify and mitigate.
3. Anomalies in Privileged User Account Activity
Account take overs and insider attacks can both be discovered by tracking for unusual activity in privileged accounts. Any odd behavior in an account should be flagged and followed up on. Major indicators could be escalation in the privileges of an account or an account being used to leapfrog into other accounts with higher privileges.
4. Log-In Anomalies
Login irregularities and failures are both useful clues that your network and systems are being probed. A large number of failed logins on an existing account and failed logins with user accounts that don’t exist are two IOCs that it isn’t any currently authorized user trying to access your data.
5. Increased Volume in Database Read
Most organizations store their most confidential and important data in databases which makes them a prime target. An increase in the read volume of database(s) could be a good indicator that an attacker is in. They’ve found a way to infiltrate your network, and now they are gathering up your data to exfiltrate it.
6. DNS Request Anomalies
Most Internet communication starts with one or more Domain Name System (DNS) lookups. Command-and-control traffic is very important for cyber attackers. This command-and-control traffic allows for ongoing management of the attack and it must be secure so that security professionals can’t easily take it over. These traffic patterns can be easily identified. Observing a large spike in DNS requests from a specific host is a good IOC. Outgoing requests to External hosts correlated with geoIP and reputation data can alert s security professional of suspicious activity that should get mitigated.
7. Large Number of Requests for the Same File
Hackers and attackers have to use a lot of trial and error to get what they want from your system. These trials and errors are IOCs, as hackers try to see what kind of exploitation will stick. If one file, maybe that same credit card file, has been requested many times from different permutations, you could be under attack. Seeing 500 IPs request a file when typically there would be 1, is an IOC that needs to be checked up on.
8. HTML Response Size
An abnormally large HTML response size can mean that a large piece of data was exfiltrated. For the same credit card database we used as an example in the previous IOC, the HTML response would be about 20 – 50 MB which is much larger than the average 200 KB response one should expect for any typical request.
9. Mismatched Port-Application Traffic
Attackers can try to take advantage of an obscure port to mask their activities. If a standard application is using an unusual port, it’s an IOC of command-and-control traffic acting as normal application behavior. Because this traffic can be masked differently, it can be harder to flag.
10. Suspicious Registry
One of the way malware writers establish themselves within an infected host is through registry changes. This can also include installing packet-sniffing software as data harvesting tool on your network. To recognize these types of IOCs, it’s important to have that baseline “normal” established, which includes a clear registry. Monitoring for deviation from the baseline can decrease response time to this kind of attack.
Detection and Response
These are just a handful of the ways suspicious activity can show up on a network. Fortunately, IT professionals and managed security service providers look for these, and other IOCs to decrease response time to potential threats.
Monitoring for IOCs enables your organization to mitigate potential damage that could be done by an attacker. With such issues, the response is reactive versus proactive, but early detection can mean the difference between a full blown ransomware attack leaving your business crippled and a few missing files or partial degradation.
IOC security requires specialized tools to provide the necessary monitoring and forensic analysis of incidents. IOCs are reactive in nature, but they’re still a major piece of the cyber security puzzle, ensuring an attack isn’t going on long before it is shut down.
Another important part of the puzzle is your data resilience, just in case the worst does happen. You won’t be left without any alternative to the paying ransom to the hackers.
The battle against malware and cyber attacks is an ongoing and difficult battle, as it evolves every day. Your security team might already hav policies in place to try and curb as many of these threats as possible. Keeping your employees trained on these policies is as important as the security monitoring.