Indicators of compromise

What are indicators of compromise?

Indicators of compromise (IOCs) are forensic evidence of discrepancies, or unusual activities in the organization's network, that help identify security threats, data breaches, insider threats, and more before any harm occurs. IOCs act not just as a warning sign for impending attacks, but they also help in analyzing what has happened. By learning about possible security threats, organizations can deploy their counter security measures to limit or prevent damage to their network.

Types of indicators of compromise

There are five primary types of IoCs you can use to identify if your environment has been compromised:

1. File-based IoCs: Malicious file downloads can infect the organization's ecosystem. They are identified via atypical file extension types, unusual file names and file paths, malicious file hashes, and file size anomalies.
2. Network-based IoCs: Any suspicious activities that take place within the network are indicated by network-based IoCs such as malicious IP addresses, domain names, or URLs. Sudden spikes in network traffic can also indicate that the network has been compromised.
3. Behavioral IoCs: Any activities that deviate from the normal functioning of systems or users, such as multiple failed login attempts, unusual user behavior during non-business hours, unanticipated system crashes, abnormal network connections, and high memory usage, are clear behavioral IoCs.
4. Registry-based IoCs: The presence of certain entries within the Windows Registry potentially indicates that a cyberattack is ongoing or has occurred. Examples include registry key deletions and unusual registry values.
5. Host-based IoCs: Suspicious changes made to system settings, permissions, and processes indicate a potentially compromised endpoint.

Indicators of compromise examples

IOCs appear in various guises, such as anomalous user behavior, unwarranted file activities, unusual network traffic, and more. All these signs are stored in an IOC database over the internet that helps you identify signals of a vulnerability. Some databases also allow you to upload the IOC information identified within your network. The most common indicators of compromise are:

• Rise in database read volume

  Personal information and critical business data are stored in secure databases, making them prime target for attackers. A sudden spike in read volume, which indicates the number of users who accessed the database, is a sign of data exfiltration.

• Geographical irregularities

  Telltale signs that something is wrong occurs when you find login patterns, or access attempts coming from a region where your organization does not operate. IP addresses are crucial indicators that help you identify the geographical origin of the attack.

• Anomalies in privileged user accounts

  Hackers often try to access data by escalating the privileges of low-level user accounts. Any sudden changes in user account activity, such as a sudden spike in permission changes, can indicate a possible insider attack.

• Unusual outbound network traffic

  This sign indicates when unusual network activities are found as intruders try to extract data, or when information is being sent to a command and control server.

• Suspicious registry changes

  When malware enters the system, it attempts to change registry and system files. Keeping an eye on registry changes helps identify the presence of malware.

• Increased request for the same file

  Attackers try several tactics to identify the most successful one. If a file receives several requests over a short period, it is a sign that you might be under attack.

Indicators of compromise vs. indicators of attack

Understanding the differences between indicators of compromise (IoCs) and indicators of attack (IoAs) is essential to investigating security incidents. These differences are described below:

• Indicators of compromise: Indicators of compromise help you spot past security incidents. They aid in mitigating known threats with the help of past findings made from forensic investigations. Security teams use them to identify threats with similar patterns so they can take corrective measures.
• Indicators of attack: Indicators of attack signal that there is an ongoing cyberattack or that a malicious intrusion is likely to occur. Identifying a malicious entity with the help of indicators of compromise can aid you in reducing the attack surface and remediating the organizational environment.