Indicators of Compromise (IoCs)

Indicators of compromise (IoCs) are the clues, artifacts, and pieces of forensic data of potential intrusions on a host system or network of an organization. These artifacts enable information security (InfoSec) professionals and system administrators to detect intrusion attempts or other malicious activities.

IoCs are not intelligence, although they do act as a good source of information regarding the threats that serve as data points in the intelligence process. Security researchers need to perform continuous monitoring of IoCs to effectively and efficiently detect and respond to evolving cyber threats. They use IoCs to better analyze a particular malware’s techniques and behaviours. Security professionals use various tools to monitor IoCs such as helping security teams enhance the security controls, and policies, and providing actionable threat intelligence that can be shared within the community to further improve an organization’s incident response and remediation strategies.

Here are some indicators of compromise that information security professionals and system administrators watch out for:

  • Unusual traffic going in and out of the network.
  • Unknown files, applications, and processes in the system
  • Suspicious activity in administrator or privileged accounts
  • Geographical anomalies or actions such as traffic in countries an organization don’t do business with
  • Multiple log-in failures, access, and other network activities that indicate probing or brute force attacks
  • Anomalous spikes of requests and read volume in company files.
  •  Large HTML response size.
  • Signs of DDoS activity. 
  • Network traffic that traverses in unusually used ports or mismatched port-application traffic. 
  • Tampered files, Domain Name Servers (DNS) and registry configurations as well as changes in system settings, including those in mobile devices.
  • Large amounts of compressed files and data are unexplainably found in locations where they shouldn’t be.
  • Bundle data in the wrong places.

Categories of IoCs

  • Email Indicators are used to send malicious data to the target organization or individual. This kind of socially engineered email is preferred due to its ease of use and comparative anonymity. Examples include the sender's email address, email subject, and attachments or links. 
  • Network Indicators are useful for command and control, malware delivery, and identifying details about the operating system, browser type, and other computer-specific information. Examples include URLs, domain names, and IP addresses. 
  • Host-Based Indicators are found by performing an analysis of the infected system within the organizational network. Examples include filenames, file hashed, registry keys, DLLs, and mutex. 
  • Behavioural Indicators are used to identify specific behaviour related to malicious activities such as code injection into the memory or running the script of an application. They are helpful in identifying indicators of intrusion, such as malicious IP addresses, virus signatures, MD5 hash, and domain names. Examples include document executing PowerShell script, and remote command execution. 

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

No comments:

Post a Comment