SOURCE: Flickr
An indicator of compromise (IOC) refers to something left by a cyberattacker on your system. Whether this was intentional or a mistake might not be clear initially. A cyberattacker might leave an indicator of compromise directly through system activity or indirectly through system modification.
Cyberattackers often take months to implement, escalate, and position their attacks correctly. In turn, this gives your cybersecurity teams more than enough time to find and stop a potential attack. An indicator of compromise can help you determine if an attack is happening. It can also give you the necessary breadcrumbs to help you determine what the attacker is after in the first place.
In this article, you’ll learn what an indicator of compromise is in more detail. I’ll also provide several examples where using one might prove beneficial for your cybersecurity practices.
Let’s begin with a definition!
What Is an Indicator of Compromise?
An indicator of compromise refers to the disturbed ground and artifacts left by a cyberattacker during and after an attack. This can include anything from altered or deleted files to logged events. Information security (InfoSec) professionals and admins can use these artifacts to detect future intrusions. Further, they can use them to determine the reason for the attack.
In addition, an indicator of compromise can help you understand malware or attack techniques. It can also help in patch creation and remediation strategy formation.
Now that you know what an indicator of compromise is, it’s time to look at some examples! These examples can give you an idea of what to look out for during and after a cyberattack.
14 Ways an IOC Can Help You Refine Your Cybersecurity Practices
Below are 14 common examples where using an indicator of compromise will prove useful. Remember that any change to your system can be useful to you as an indicator of compromise. To this end, the list below isn’t exhaustive, so use your discretion and judgment when necessary.
1. Suspicious Privileged User Activity
Most cyberattacks need some form of privilege escalation to initiate a cyberattack. In essence, you should look out for any suspicious privileged activity. You can do this by checking your server, administrative, platform, and database logs. If anything looks suspicious, raise an alert as soon as possible.
2. Errors during Login Activities
SOURCE: Flickr
Cybercriminals sometimes use brute-force attacks to pass the hash by using dictionary attacks. Businesses often safeguard against these attacks by using timeouts to stop users from entering credentials for a few seconds. Another way you can defend against these attacks is by allowing the user a few guesses before a reset.
That said, you should search all logs for login mismatches or errors in the passwords entered. For instance, many error messages might include ones for special characters not used in your password system. Dictionaries not optimized for a specific system may add a Greek character, for instance. Most error messages will flag this. For large logs, you can filter by error type and use the “Ctrl-F” search function to speed up the search process.
3. DNS Requests
A Domain Name System (DNS) converts human-readable names to or from the IP address that your network and the internet use. As an indicator of compromise, you can check your DNS logs for foreign DNS or IP addresses outside of operational normality.
4. Unhuman Web Traffic
This indicator of compromise involves using common sense to assess if your network traffic makes sense. You can use your logs or proprietary software to help you with that. In short, ask yourself why an administrator is logging in to your system at three in the morning, for instance. Remember that cyberattackers often need administrative privileges to run the majority of attacks.
5. Unusual Outbound Network Traffic
Cyberattackers use attacks to extract information from a network, such as business intellectual property. To this end, you should monitor how much data is often outbound. Then, you should use this as a benchmark when assessing anonymous outbound activity. An intrusion detection system (IDS) and/or intrusion prevention system (IPS) hosted around your network can help you create a baseline.
6. Strange Geographical Locations
SOURCE: Picryl
You can use geofencing or geotagging as an indicator of compromise. Here, you’ll see if connections are coming from locations your business has dealings with. If you notice any suspicious locations popping up, it might be a cyberattacker trying to access your network. Most router or cybersecurity solutions can create alerts and push notifications based on the connection’s location. In turn, these can let you know if an attack is in progress.
7. Increased Database Read Volume
Almost every platform we use requires a database to store information for queries. Some cybercriminals might want to go directly after sensitive data in your database. Others might want access to the rest of your system by fuzzing the database through an external interface.
For instance, an attack could start with attackers adding random code into a website’s search box to see what it returns. Once an attacker receives enough backend functions, they can access your database for administrator privileges. In turn, this allows them to access the rest of the platform. A database monitoring tool can notify you of any fuzzing attacks taking place.
Another solution is to use timeouts on database commits to slow down attackers. Slowing the commits used in a querying process can make it almost impossible for cybercriminals to map the database and access your system. Because of this, consider using long and complex database passwords and usernames for your database user. You only need to enter these credentials when adding platforms or upgrading, but it can help reduce brute-force attacks for database credentials. Never use default or generic database credentials. Similarly, never assume that they’re not publicly accessible.
8. Unusual HTML Response Sizes
For web-based platforms, the response size is a metric that helps developers assess a website’s performance. Moreover, you can use this metric as an indicator of compromise to determine if someone added code to your platform. In short, this added code could equate to someone trying to steal your credentials or doing something nefarious.
Therefore, it’s useful to create a tree diagram of your web application and define what each page size is. You can do this by using a browser’s development tools or assessing the file size for each page on the server. You can check the file sizes periodically and put this information in a periodic report for your system. Often, in the case of reports, it’s handy to have the previous report sizes specified for the reader and yourself.
9. Mobile Device Profiles Changes
Businesses often set up mobile devices specific to their security policies. Any changes in mobile device profiles could indicate a compromise. However, they can also indicate a platform update that propagates developer changes, which could override your initial selection. Therefore, always treat profile changes with suspicion. You can verify what caused the changes by looking at the update logs.
10. Signs of DDoS Activity
You should find it relatively easy to spot Distributed Denial-of-Service (DDoS) activity. Essentially, attackers use bots located on different machines previously compromised in a DDoS attack. Your platforms will suddenly stop working due to a surge of queries needing processing.
To help prevent these attacks, you should overprovision resources across your system. Administrators often do this by providing 500% more capacity than needed. That said, this is a speculative rule of thumb. To elaborate, you can add more or less depending on what you decide is suitable. Lastly, remember that this doesn’t stop a DDoS attack entirely. It’s simply a way to provide more resources than the attack can handle.
11. Incorrectly Placed Data Bundles
SOURCE: Wikimedia
Your system works to a logical rationale. Thus, finding data in the wrong location is an indicator of compromise. This could be the result of a cyberattacker modifying your system, or the data was simply added by the attacker. One solution is to scan files and compare them against a controlled environment if you’re unsure. Additionally, remember to check if your certificates are correct and up-to-date.
12. Suspicious Port-Application Traffic
Some attacks work by changing the port used to communicate with various systems. This often happens to bypass “hardening” countermeasures. A cyberattacker can also use this to bypass areas that administrators didn’t appropriately harden. One common mistake administrators make is adding traffic rules to an intended connection route but forgetting the FTP port. As a result, bad actors can easily bypass security measures. You tend to also see this with HTTP and HTTPS connection routes.
13. Registry or System File Changes
The registry is your roadmap to resources, so any could be indicative of an attack taking place. Cyberattackers might add files to your registry without you knowing. This indicator of compromise should motivate you to monitor your registry closely. Various third-party utilities can also help you check code copies of your registry or security software solution.
14. Abrupt Patching
SOURCE: Wikimedia
Patches fix exploits, yet some attacks install malware using the same process. Cybercriminals often use an injection attack to implement their malware. In short, they add the malware to your machine’s RAM, and the patch then runs off the flash memory.
This means the attacker will never need to ask permission to save the malware to a hard drive location. Additionally, flash memory is a random jumble of data at any point in time, making it impossible for security software to scan for malware. In essence, a patching attack can happen in any of your current sessions. If you suspect something is wrong and your computer starts patching without your consent, switch your machine off. In turn, the attacker will have to reinject the malicious payload.
Those are 14 examples of how using an indicator of compromise can be beneficial in stopping or hindering cyberattackers. Let’s recap.
Final Thoughts
To conclude, cyberattackers are sneaky individuals that seek to harm you by stealing your valuable data. They can sometimes be sloppy and leave behind an indicator that can expose them. Using an indicator of compromise is one solution to avoiding future attacks. You can use them to determine the attacker’s objective and attack mechanism.
The above list is simply a taste of what you can expect in the wild. In short, most attacks require escalated privileges of some sort. To this end, consider saving this article as a reference for future use.
Do you have more questions about indicators of compromise? Check out the FAQ and Resources sections below!
FAQ
How many types of malware do I have to worry about?
12 distinct types of malware exist in the wild. That said, malware attacks require the attacks to create variations and mashups to get around countermeasures. Thus, you can easily stop attacks efficiently if you know the underlying playbooks.
How much time do I have to stop a cyberattack?
This depends on the type of attack. For instance, a DDoS attack takes you offline immediately, so you have zero time to stop collateral damage for your company. For attacks that require positioning and escalated privileges, you often have around four to six months to find and stop them. It’s also important to note that the average security specialist finds these attacks in about two months.
Should I hire a third-party cybersecurity team?
If you hire a third party to manage your security, you’ll pay them a premium in the hopes that they’ll never cause you problems. This is because they have the same skills as the cybercriminals they work against. Additionally, you pay them a premium for their hard-to-find skills. However, the benefit here is that they can assess threats better than any software on the market. This is because, generally, software can’t assess malicious intent.
How do I protect my small business from cyberattacks?
You can choose from several other options if you don’t have the resources for cybersecurity teams or in-house cybersecurity skills. Using a mix of upskilling administrators and high-quality security software can help. Furthermore, a unified threat management strategy is helpful when aligning your business’s security.
What is penetration testing?
Penetration testing is the process used to assess your security risks to cyberattacks. Several tools and techniques, ranging from social engineering to brute-force attacks, can help you test your security for vulnerabilities. In short, you should have at least two people in your company with some penetration testing experience.
Resources
TechGenix: Article on Penetration Testing
Learn about penetration testing and how it can help secure your business.
TechGenix: Article on DDoS Attacks
Discover how DDoS attacks work and what you can do to mitigate them.
TechGenix: Article on Cybersecurity Jobs
Get more information about cybersecurity jobs and the peaks of joining an in-demand sector.
TechGenix: Article on Cybersecurity and Network Security
Find out the differences between cybersecurity and network security.
TechGenix: Article on Lateral Movement
Educate yourself on lateral movement and how cyberattackers use it to break into your endpoints.