Indicators of compromise (IoCs) are clues and evidence of a data breach in the form of digital breadcrumbs. These indicators can tell us whether a cyberattack has occurred, who was behind them and what tools may have been used. This information is generally obtained from software, including anti-malware and antivirus systems.
Some of the most common IoCs to watch for are:
Unusual traffic patterns between internal systems
Unusual usage patterns for privileged accounts
Administrative access to your network from unsuspected geographical locations
A spike in database read volumes
A high rate of authentication attempts and failures
Unusual configuration changes
There are various IoCs to gauge whether a suspicious activity has occurred. These include unusual traffic patterns between internal systems, unusual usage patterns for privileged accounts, administrative access to your network from unsuspected geographical locations, etc. Digital artifacts include suspicious IP addresses and hostnames, URLs and domain names of botnets, MD5 hashes of malware files, virus signatures, Windows registry entries, network processes, and services. Security administrators can find indicators of compromise in host logs and network device logs.
Attackers use automation to authenticate via phished credentials. Configuration changes on files, servers, and devices that give backdoor access to an attacker, are good indicators of whether an attack has happened. So in case of unusually high numbers of failed authentication attempts, it is safe to assume that a bad actor may be attempting to find a window into the system.
Although both indicators of compromise and indicators of attack (IoA) are detection methods, they differ in their approach to detection. IoCs are generally more reactive as they look at past events and flag problems after the fact. IoAs, on the other hand, uncovers indicators in real-time. The tools used for both types of indicators use evidence and metadata that give investigators clues into the state of an attack.
Multiple indicators of compromise related to an incident can become available during an investigation. Using the indicators, the organizations can extend the characteristics further to understand the whole incident better.
Organizations can utilize these indicators to research and understand the incident more thoroughly. If the obtained information is file-based, the company can obtain unique characteristics of these files that can be applied and shared even with other organizations to contain the spread of an attack.
Some of these characteristics include:
The hash value of the file – MD5, SHA-1, SHA-256 – can help detect malicious files within the organization.
The malware often copies itself to a specific location in the system and renames its copy to start again when the system is restarted. Hence the location and file name are critical indicators of compromise characteristics.
Attackers often use different variants of the same malicious files that differ only in small degrees but have a similar content pattern. This is usually done to avoid detection.
A compromise assessment is your answer to the question, “Has my company’s security been breached?”. A compromise assessment can help you uncover undetected security breaches, malware or signs of unauthorized access by conducting an objective survey of your network and its devices. The assessment aims at finding existing attackers in your company’s IT environment or those who have been active recently.
Read Compromise Assessment: A Case Study to learn more about the core objectives and assessment stages to manage cyber threats proactively.
https://www.packetlabs.net/posts/compromise-assessment/
Contact the team at Packetlabs to learn more about a compromise assessment and how it can help secure your company's IT environment to avoid potentially costly data breaches.
October 24 - Blog
Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.
September 27 - Blog
InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.
September 26 - Blog
Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.
© 2024 Packetlabs. All rights reserved.