Indicators of compromise (IoCs) are clues and evidence of a data breach in the form of digital breadcrumbs. These indicators can tell us whether a cyberattack has occurred, who was behind them and what tools may have been used. This information is generally obtained from software, including anti-malware and antivirus systems.
What Are Some Common Types of Indicators of Compromise (IoCs)?
Some of the most common IoCs to watch for are:
Unusual traffic patterns between internal systems
Unusual usage patterns for privileged accounts
Administrative access to your network from unsuspected geographical locations
A spike in database read volumes
A high rate of authentication attempts and failures
Unusual configuration changes
Types of Indicators of Compromise (I0Cs)
There are various IoCs to gauge whether a suspicious activity has occurred. These include unusual traffic patterns between internal systems, unusual usage patterns for privileged accounts, administrative access to your network from unsuspected geographical locations, etc. Digital artifacts include suspicious IP addresses and hostnames, URLs and domain names of botnets, MD5 hashes of malware files, virus signatures, Windows registry entries, network processes, and services. Security administrators can find indicators of compromise in host logs and network device logs.
Attackers use automation to authenticate via phished credentials. Configuration changes on files, servers, and devices that give backdoor access to an attacker, are good indicators of whether an attack has happened. So in case of unusually high numbers of failed authentication attempts, it is safe to assume that a bad actor may be attempting to find a window into the system.
Indicators of Compromise Vs. Indicators of Attack
Although both indicators of compromise and indicators of attack (IoA) are detection methods, they differ in their approach to detection. IoCs are generally more reactive as they look at past events and flag problems after the fact. IoAs, on the other hand, uncovers indicators in real-time. The tools used for both types of indicators use evidence and metadata that give investigators clues into the state of an attack.
Using IoCs to Your Benefit
Multiple indicators of compromise related to an incident can become available during an investigation. Using the indicators, the organizations can extend the characteristics further to understand the whole incident better.
Organizations can utilize these indicators to research and understand the incident more thoroughly. If the obtained information is file-based, the company can obtain unique characteristics of these files that can be applied and shared even with other organizations to contain the spread of an attack.
Some of these characteristics include:
The hash value of the file – MD5, SHA-1, SHA-256 – can help detect malicious files within the organization.
The malware often copies itself to a specific location in the system and renames its copy to start again when the system is restarted. Hence the location and file name are critical indicators of compromise characteristics.
Attackers often use different variants of the same malicious files that differ only in small degrees but have a similar content pattern. This is usually done to avoid detection.
Has my company's security been breached?
A compromise assessment is your answer to the question, “Has my company’s security been breached?”. A compromise assessment can help you uncover undetected security breaches, malware or signs of unauthorized access by conducting an objective survey of your network and its devices. The assessment aims at finding existing attackers in your company’s IT environment or those who have been active recently.
Read Compromise Assessment: A Case Study to learn more about the core objectives and assessment stages to manage cyber threats proactively.