Cybersecurity is an important part of your business strategy; there’s no doubt about that. With so many terms surrounding the ins and outs of cybersecurity, it can be hard to keep track and stay well informed.
Indicators of Compromise: What is an IOC Used for?
Indicators are activities that lead IT professionals to believe a cybersecurity incident could be on the way or already occurring.
More specifically, IOCs are breadcrumbs that can lead an organization to uncover malicious activity on or against a system or network. These pieces of forensic data help IT professionals identify data breaches, malware infections, and even compromised email accounts. Monitoring all activity on a network to understand potential indicators of compromise allows for early detection of malicious activity against your organization.
Unusual activity is flagged as an IOC which can indicate a potential or an in-progress threat. Unfortunately, these red flags aren’t always easy and obvious to detect. Some of these IOCs can be as small and as simple as manipulating metadata elements. Or they can be incredibly complex malicious code and content stamps that slip through the cracks. Analysts must have a good understanding of what’s normal for a given network – then, they have to identify various IOCs to look for correlations to identify a cybersecurity incident has occurred.
The key to IOCs is being proactive. Early warning signs can be hard to decipher but analyzing and understanding them gives an organization the best chance at protecting their network proactively as opposed to reactively.
What is the difference between an observable and an IOC? An observable is any network activity that can be tracked and assessed by your team of IT professionals where an IOC indicates a potential threat.
What Do Indicators of Compromise Look Like?
Here is a list of indicators of compromise (IOCs) examples:
1. Unusual Outbound Network Traffic
Traffic inside the network, though often overlooked, can be the biggest indicator letting IT professionals know something isn’t quite right. If the outbound traffic increases heavily or simply isn’t typical, you could have a problem. Luckily, traffic inside your network is the easiest to monitor, and compromised systems will often have visible traffic reaching out to other systems for a threat actor to maintain persistence in the environment.
2. Anomalies in Privileged User Account Activity
Account takeovers and insider attacks can both be discovered by keeping an eye out for weird activity in privileged accounts. Any odd behavior in an account should be flagged and followed up on. Key indicators could be escalation in the privileges of an account or an account being used to leapfrog into other accounts with higher privileges.
3. Geographic Irregularities
Irregularities in sign-ins and access from an unusual geographic location from any account are good evidence that attackers are infiltrating the network from far away. If there is traffic with countries you don’t do business with, that is a huge red flag and should be reviewed immediately. Luckily, this is one of the easier indicators to pinpoint and take care of. An IT professional might see many sign-ins attempting to log into an account in a short amount of time with a geographic tag that just doesn’t add up.
4. Log-In Anomalies
Login irregularities and failures are both great clues that attackers are probing your network and systems. Personal VPN sign-in activity is an indicator on the rise. Personal VPN activity can obscure a user’s known location in an attempt to hide where the Threat Actor sign-in is actually taking place.
5. Increased Volume in Database Read
An increase in the volume of database read could indicate that an attacker is in. They’ve found a way to infiltrate your network, and now they are gathering up your data to exfiltrate it. A full credit card database, for instance, would be a large request with a ton of read volume and that swell in volume would be an IOC of funny business.
6. HTML Response Size
An abnormally large HTML response size can mean that a large piece of data was exfiltrated. For the same credit card database we used as an example in the previous IOC, the HTML response would be about 20 – 50 MB which is much larger than the average 200 KB response one should expect for any typical request.
7. Multiple Requests for the Same File
The latest security protection can identify this behavior as part of anomalous access by IP address. If one file, maybe that same credit card file, has been requested multiple times from different permutations, you could be under attack. Seeing several IPs request a file when typically there would be 1, is an IOC that needs to be checked on. If these attempts are missed and access to the environment is gained, threat actors have a “playbook” they execute.
8. Mismatched Port-Application Traffic
Attackers could try to take advantage of common ports. There are readily available programs like Nmap or Shodan that threat actors use to identify what ports are being used and to target an organization externally. This action is an IOC of command-and-control traffic acting as normal application behavior. Because this traffic can be masked differently, it can be harder to flag.
9. Suspicious Registry
Malware writers establish themselves within an infected host through registry changes. This can include packet-sniffing software that deploys harvesting tools on your network. To recognize these types of IOCs, it’s important to have that baseline “normal” established, which includes a clear registry. Through this process, you’ll have filters to compare hosts against and in turn decrease response time to this kind of attack.
10. DNS Request Anomalies
Command-and-control traffic patterns are oftentimes left by malware and cyber attackers. The command-and-control traffic allows for ongoing management of the attack. IT must be secure so that security professionals can’t easily take it over, but that makes it stick out like a sore thumb. A large spike in DNS requests from a specific host is a good IOC. External hosts, geoIP, and reputation data all come together to alert an IT professional that something isn’t quite right.
IOC Detection and Response
These are just a handful of the ways suspicious activity can show up on a network. Luckily, IT professionals and managed security service providers look for these, and other IOCs to decrease response time to potential threats. Through dynamic malware analysis, these professionals are able to understand the violation of security and treat it immediately.
Monitoring for IOCs enables your organization to identify what the threat actor has done while having access to the environment. A compromise assessment of your systems helps your team become as ready as possible for the type of cybersecurity threat your company may come up against. With actionable indicators of compromise, the response is reactive versus proactive, but early detection can mean the difference between a full-blown ransomware attack, leaving your business crippled, and a few missing files.
IOC security requires tools to provide the necessary monitoring and forensic analysis of incidents via malware forensics. IOCs are reactive in nature, but they’re still an important piece of the cybersecurity puzzle, ensuring an organization does not fall victim to the same attack again.
Another important part of the puzzle is your data backup, just in case the worst does happen. You won’t be left without your data and without any way to avoid the ransom hackers might impose on you.
The battle against malware and cyber attacks is an ongoing and difficult battle, as it evolves every day. Your security team likely has policies already in place to try and curb as many of these threats as possible.
Contact us today to see our our cybersecurity services might help your organization well-informed and trained on these policies is just as important as the monitoring.