Indicators of Compromise (IOCs): Definition and Examples

August 9, 2018


Cyber security is an important part of your business strategy; there’s no doubt about that. With so many terms surrounding the ins and outs of cyber security, it can be hard to keep track and stay well informed.

Indicators of Compromise: What is an ICO?

Indicators of Compromise is a hyper-specific cyber security term. Indicators are activities that lead IT professionals to believe a cyber security threat or breach could be on the way or in progress, aka compromised.

More specifically, IOCs are breadcrumbs which can lead an organization to uncovering threatening activity on a system or network. These pieces of forensic data help IT professionals identify data breaches, malware infections, and other security threats. Monitoring all activity on a network to understand potential indicators of compromise allows for early detection of malicious activity and breaches.

Unusual activity is flagged as an IOC which can indicate a potential or an in-progress threat. Unfortunately, these red flags aren’t always easy to detect. Some of these IOCs can be as small and as simple as metadata elements or incredibly complex malicious code and content stamps that slip through the cracks. Analysts have to have a good understanding of what’s normal for a given network – then, they have to identify various IOCs to look for correlations that piece together to signify a potential threat.

In addition to Indicators of Compromise, there are also Indicators of Attack. Indicators of Attack are very similar to IOCs, but instead of identifying a compromise that’s potential or in progress, these indicators point to an attacker’s activity while an attack is in process.

The key to both IOCs and IOAs is being proactive. Early warning signs can be hard to decipher but analyzing and understanding them, through IOC security, gives a business the best chance at protecting their network.

What Do Indicators of Compromise Look Like?

Here are a few examples:

1. Unusual Outbound Network Traffic

Traffic inside the network, though often overlooked, can be the biggest indicator letting IT professionals know something isn’t quite right. If the outbound traffic increases heavily or simply isn’t typical, you could have a problem. Luckily, traffic inside your network is the easiest to monitor, and compromised systems will often have visible traffic before any real damage is done to the network.

2. Anomalies in Privileged User Account Activity

Account take overs and insider attacks can both be discovered by keeping an eye out for weird activity in privileged accounts. Any odd behavior in an account should be flagged and followed up on. Key indicators could be escalation in the privileges of an account or an account being used to leapfrog into other accounts with higher privileges.

3. Geographic Irregularities

Irregularities in log-ins and access from an unusual geographic location from any account is good evidence that attackers are infiltrating the network from far away. If there is traffic with countries you don’t do business with, that is a huge red flag and should be followed up on immediately. Luckily, this is one of the easier indicators to pinpoint and take care of. An IT professional might see many IPs logging into an account in a short amount of time with a geographic tag that just doesn’t add up.

4. Log-In Anomalies

Login irregularities and failures are both great clues that your network and systems are being probed by attackers. A large number of failed logins on an existing account and failed logins with user accounts that don’t exist are two IOCs that it isn’t an employee or approved user trying to access your data.

5. Increased Volume in Database Read

An increase in the volume of database read could indicate that an attacker is in. They’ve found a way to infiltrate your network, and now they are gathering up your data to exfiltrate it. A full credit card database, for instance, would be a large request with a ton of read volume and that swell in volume would be an IOC of funny business.

6. HTML Response Size

An abnormally large HTML response size can mean that a large piece of data was exfiltrated. For the same credit card database we used as an example in the previous IOC, the HTML response would be about 20 – 50 MB which is much larger than the average 200 KB response one should expect for any typical request.

7. Large Number of Requests for the Same File

Hackers and attackers have to use a lot of trial and error to get what they want from your system. These trials and errors are IOCs, as hackers try to see what kind of exploitation will stick. If one file, maybe that same credit card file, has been requested many times from different permutations, you could be under attack. Seeing 500 IPs request a file when typically there would be 1, is an IOC that needs to be checked up on.

8. Mismatched Port-Application Traffic

If you have an obscure port, attackers could try to take advantage of that. Oftentimes, if an application is using an unusual port, it’s an IOC of command-and-control traffic acting as normal application behavior. Because this traffic can be masked differently, it can be harder to flag.

9. Suspicious Registry

Malware writers establish themselves within an infected host through registry changes. This can include packet-sniffing software that deploys harvesting tools on your network. To recognize these types of IOCs, it’s important to have that baseline “normal” established, which includes a clear registry. Through this process, you’ll have filters to compare hosts against and in turn decrease response time to this kind of attack.

10. DNS Request Anomalies

Command-and-control traffic patterns are oftentimes left by malware and cyber attackers. The command-and-control traffic allows for ongoing management of the attack. IT must be secure so that security professionals can’t easily take it over, but that makes it stick out like a sore thumb. A large spike in DNS requests from a specific host is a good IOC. External hosts, geoIP, and reputation data all come together to alert an IT professional that something isn’t quite right.

IOC Detection and Response

These are just a handful of the ways suspicious activity can show up on a network. Luckily, IT professionals and managed security service providers look for these, and other IOCs to decrease response time to potential threats.

Monitoring for IOCs enables your organization to control damage that could be done by a hacker or malware. With these kinds of issues, the response is reactive versus proactive, but early detection can mean the difference between a full blown ransomware attack, leaving your business crippled, and a few missing files.

IOC security requires tools to provide the necessary monitoring and forensic analysis of incidents. IOCs are reactive in nature, but they’re still an important piece of the cyber security puzzle, ensuring an attack isn’t going on long before it is shut down.

Another important part of the puzzle is your data backup, just in case the worst does happen. You won’t be left without your data and without any way to avoid the ransom hackers might impose on you.

The battle against malware and cyber attacks is an ongoing and difficult battle, as it evolves every day. Your security team likely has policies already in place to try and curb as many of these threats as possible. Keeping your staff well-informed and trained on these policies is just as important as the monitoring.