Cybersecurity is an important part of your business strategy; there’s no doubt about that. With so many terms surrounding the ins and outs of cybersecurity, it can be hard to keep track and stay well informed.
Indicators of Compromise: What is an IOC Used for?
Indicators are activities that lead IT professionals to believe a cybersecurity threat or breach could be on the way or in progress or compromised.
More specifically, IOCs are breadcrumbs that can lead an organization to uncover threatening activity on a system or network. These pieces of forensic data help IT professionals identify data breaches, malware infections, and other security threats. Monitoring all activity on a network to understand potential indicators of compromise allows for early detection of malicious activity and breaches.
Unusual activity is flagged as an IOC which can indicate a potential or an in-progress threat. Unfortunately, these red flags aren’t always easy to detect. Some of these IOCs can be as small and as simple as metadata elements or incredibly complex malicious code and content stamps that slip through the cracks. Analysts have to have a good understanding of what’s normal for a given network – then, they have to identify various IOCs to look for correlations that piece together to signify a potential threat.
In addition to Indicators of Compromise, there are also Indicators of Attack. Indicators of Attack are very similar to IOCs, but instead of identifying a compromise that’s potential or in progress, these indicators point to an attacker’s activity while an attack is in process.
The key to both IOCs and IOAs is being proactive. Early warning signs can be hard to decipher but analyzing and understanding them, through IOC security, gives a business the best chance at protecting their network.
What is the difference between an observable and an IOC? An observable is any network activity that can be tracked and assessed by your team of IT professionals where an IOC indicates a potential threat.
What Do Indicators of Compromise Look Like?
Here is a list of indicators of compromise (IOCs) examples:
1. Unusual Outbound Network Traffic
Traffic inside the network, though often overlooked, can be the biggest indicator letting IT professionals know something isn’t quite right. If the outbound traffic increases heavily or simply isn’t typical, you could have a problem. Luckily, traffic inside your network is the easiest to monitor, and compromised systems will often have visible traffic before any real damage is done to the network.
2. Anomalies in Privileged User Account Activity
Account takeovers and insider attacks can both be discovered by keeping an eye out for weird activity in privileged accounts. Any odd behavior in an account should be flagged and followed up on. Key indicators could be escalation in the privileges of an account or an account being used to leapfrog into other accounts with higher privileges.
3. Geographic Irregularities
Irregularities in log-ins and access from an unusual geographic location from any account are good evidence that attackers are infiltrating the network from far away. If there is traffic with countries you don’t do business with, that is a huge red flag and should be followed up on immediately. Luckily, this is one of the easier indicators to pinpoint and take care of. An IT professional might see many IPs logging into an account in a short amount of time with a geographic tag that just doesn’t add up.
4. Log-In Anomalies
Login irregularities and failures are both great clues that your network and systems are being probed by attackers. A large number of failed logins on an existing account and failed logins with user accounts that don’t exist are two IOCs that it isn’t an employee or approved user trying to access your data.
5. Increased Volume in Database Read
An increase in the volume of database read could indicate that an attacker is in. They’ve found a way to infiltrate your network, and now they are gathering up your data to exfiltrate it. A full credit card database, for instance, would be a large request with a ton of read volume and that swell in volume would be an IOC of funny business.
6. HTML Response Size
An abnormally large HTML response size can mean that a large piece of data was exfiltrated. For the same credit card database we used as an example in the previous IOC, the HTML response would be about 20 – 50 MB which is much larger than the average 200 KB response one should expect for any typical request.
7. A Large Number of Requests for the Same File
Hackers and attackers have to use a lot of trial and error to get what they want from your system. These trials and errors are IOCs, as hackers try to see what kind of exploitation will stick. If one file, maybe that same credit card file, has been requested many times from different permutations, you could be under attack. Seeing 500 IPs request a file when typically there would be 1, is an IOC that needs to be checked on.
8. Mismatched Port-Application Traffic
If you have an obscure port, attackers could try to take advantage of that. Oftentimes, if an application is using an unusual port, it’s an IOC of command-and-control traffic acting as normal application behavior. Because this traffic can be masked differently, it can be harder to flag.
9. Suspicious Registry
Malware writers establish themselves within an infected host through registry changes. This can include packet-sniffing software that deploys harvesting tools on your network. To recognize these types of IOCs, it’s important to have that baseline “normal” established, which includes a clear registry. Through this process, you’ll have filters to compare hosts against and in turn decrease response time to this kind of attack.
10. DNS Request Anomalies
Command-and-control traffic patterns are oftentimes left by malware and cyber attackers. The command-and-control traffic allows for ongoing management of the attack. IT must be secure so that security professionals can’t easily take it over, but that makes it stick out like a sore thumb. A large spike in DNS requests from a specific host is a good IOC. External hosts, geoIP, and reputation data all come together to alert an IT professional that something isn’t quite right.
IOC Detection and Response
These are just a handful of the ways suspicious activity can show up on a network. Luckily, IT professionals and managed security service providers look for these, and other IOCs to decrease response time to potential threats. Through dynamic malware analysis, these professionals are able to understand the violation of security and treat it immediately.
Monitoring for IOCs enables your organization to control the damage that could be done by a hacker or malware. A compromise assessment of your systems helps your team become as ready as possible for the type of cybersecurity threat your company may come up against. With actionable indicators of compromise, the response is reactive versus proactive, but early detection can mean the difference between a full-blown ransomware attack, leaving your business crippled, and a few missing files.
IOC security requires tools to provide the necessary monitoring and forensic analysis of incidents via malware forensics. IOCs are reactive in nature, but they’re still an important piece of the cybersecurity puzzle, ensuring an attack isn’t going on long before it is shut down.
Another important part of the puzzle is your data backup, just in case the worst does happen. You won’t be left without your data and without any way to avoid the ransom hackers might impose on you.
The battle against malware and cyber attacks is an ongoing and difficult battle, as it evolves every day. Your security team likely has policies already in place to try and curb as many of these threats as possible. Keeping your staff well-informed and trained on these policies is just as important as the monitoring.