Indicators of compromise (IOCs) are pieces of forensic data, such as system log entries, system files or network traffic that identify potentially malicious activity on a system or network. Digital forensics security analysts and information security professionals use indicators of compromise to detect data breaches, malware infections and other security incidents.
Indicators of compromise act as red flags that can help InfoSec and cybersecurity teams detect suspicious activity quickly. These can indicate potential threat actors building up to an attack or detect in-progress attacks that could lead to data breaches, ransomware and other types of malware.
Why Your Organization Should Monitor for Indicators of Compromise
Monitoring for indicators of compromise can help organizations respond to cyber threats as they are detected, which can help with incident response and provide the necessary components for effective computer forensics.
As security teams discover recurring patterns of specific indicators of compromise they can update, add or adjust security tools and information security policies to protect against them in future attacks.
Furthermore, there has been increasing regulatory scrutiny to develop a consistent, structured approach to detection, prevention and reporting of security incidents across industries. For example, GLBA, PIPEDA and FISMA call for some form of continuous monitoring, as does the NIST Cybersecurity Framework.
What are Examples of Indicators of Compromise?
- Unusual outbound network traffic: It's simple for system administrators and network security professionals to discover large amounts of unusual outbound traffic. This could be a piece of spyware communicating with its command-and-control servers or an attack stealing sensitive data. Outbound traffic indicators and network intrusion detection software can issue an alert in the event that an unusual level of traffic is detected.
- Anomalies in privileged user account activity: Privilege escalation attacks, as well as social engineering scams like phishing and spear phishing can lead to malicious actors gaining unauthorized access to privileged user accounts. For organizations that don't employ a defense in depth strategy with access control that follows the principle of least privilege, any account compromise can lead to privileged user account access.
- Geographical irregularities: Unusual traffic doesn't have to be limited to the amount of bandwidth used, but also the region the traffic is originating from. For instance, when your S3 bucket receives logins from IP addresses that appear to be from a different region, it could be a cause for concern. Yes, IP attribution is flawed but this doesn't reduce the value of this threat intelligence exercise.
- Other log in red flags: System administrators may discover that a privileged user's account has had multiple failed login attempts, possibly indicating a bruteforce attack.
- Increased database read volume: A common indicator of a data breach or data leak is increased database activity, such as complete database dumps which could indicate an attacker has gained access to the system and has extract information.
- HTML response sizes: Successful SQL injections used to extract sensitive data from a web application generally have a large HTML response size than normal requests.
- Large number of requests for the same file: It can take a lot of trial and error to find a point of entry (attack vector) or vulnerability exploit that works, a possible indicator is one user making multiple requests to the same file.
- Mismatched port-application traffic: Attackers will often take advantage of obscure ports to get around filters.
- Suspicious registry or system file changes: Malware often makes registry changes, which is why creating a baseline is an important part of dealing with malware infections.
- Domain Name System request anomalies: DNS requests and traffic to command-and-control servers often follows a standard pattern which can serve as a good indicator for suspicious activity.
- Unexpected patching of systems: Keeping your system up-to-date is generally a good thing but unexpected patching could be a sign of a computer worm or attacker closing a vulnerability, exploit or attack vector so others can't use it.
- Mobile device settings changes: Attackers are increasingly focused on mobile devices, keep an eye of for changes in your device settings, replacement apps used for man-in-the-middle attacks or new apps you didn't install.
- Aggregated data in the wrong place: Files in odd places or archives of sensitive data that shouldn't exist are a good sign of an impending data breach.
- Web traffic with unhuman behavior: Web traffic that doesn't look like regular human behavior should be investigated.
- Signs of distributed-denial-of-service (DDoS) attacks: DDoS attacks powered by botnets are frequently used to distract from a secondary attack on the confidentiality or integrity of your systems.
- Changes in security rating: Your organization's security rating is a good measure of your organization's security, a lowered security rating can indicate a potential security incident.
- Exposed credentials: Login credentials can be used to launch additional cyber attacks and can indicate your organization has been compromised, invest in a tool to continuously monitor for leaked credentials.
- Changes in vendor security ratings: Third-party vendors that process sensitive data are an extension of your organization. You need to continuously monitor your vendors' security performance.
What is the Difference Between an Indicator of Compromise and an Indicator of Attack?
Indicators of attack (IOAs) focus on identifying attacker activity in real-time while indicators of compromise focus on attacks that have taken place.
Think about it like this, indicators of compromise help answer what happened while indicators of attack help answer what is happening and why?
How UpGuard Can Help You Monitor Indicators of Compromise
UpGuard Vendor Risk can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and continuously monitoring your vendors' security posture over time while benchmarking them against their industry.