What are indicators of compromise?
Indicators of compromise (IOCs) are often considered to be “digital breadcrumbs”. They comprise evidence indicating that a cyber-attack is in progress. Additionally, IOCs can provide insights into the tools used during a cyber attack, who is behind the attack, and more.
About Indicators of Compromise
Security teams use indicators of compromise to search for malicious activity or threats. These indicators can be incorporated into your business's cybersecurity monitoring. They can help you stop a cyberattack that's in progress. Plus, you can use IOCs to find ways to detect and stop ransomware, malware, and other cyberthreats before they cause data breaches.
How do Indicators of Compromise Work?
When a cybercriminal attacks your company, the criminal leaves a digital footprint. For example, your security team may see cybercriminal activity in your system and log files after a cyberattack. At this stage, your team can collect digital forensics data from these systems and files. From here, your team can determine if a cyberattack or data breach is in progress or has already happened.
Your security team can look for indicators of compromise across your IT infrastructure. Or, you can hire a managed security service provider (MSSP) that searches for IOCs on your behalf. In either scenario, advanced technology and tools can be used to scan and analyse your network traffic and other sources for IOCs. If any suspicious activity is identified, it can be isolated accordingly.
Types of Indicators of Compromise
Network
Network IOCs include unusual traffic patterns, connections to malicious IP addresses or domains, or other signs of suspicious activity on a network. Intrusion detection systems (IDS), security information and event management (SIEM) systems, and other network monitoring tools can be used to detect these IOCs.
Host-Based
These include unusual file activity, changes to system configuration settings, and other suspicious activity on a computer or system. Your business can detect host-based IOCs with endpoint Detection and Response (EDR), extended detection and response (XDR), and other endpoint security solutions.
File-Based
File-based indicators of compromise indicate malicious system files or malware. Examples of file-based IOCs include suspicious hashes, filenames, and file paths. EDR and sandboxing tools are commonly used to detect file-based IOCs.
Behavioural
Behavioural indicators of compromise such as multiple failed login attempts or unusual login times indicate suspicious user activity on a system or network. User monitoring tools such as user and entity behaviour analytics (UEBA) solutions can be used to identify behavioural IOCs.
Examples of Indicators of Compromise
- A spike or slowdown in network traffic or other unusual outbound network traffic activity
- Escalation of user-access privileges for a specific account, use of an account to access others that provide the user with additional privileges, or other privileged user account anomalies
- Account logins that come from outside the country where your business is located
- Multiple unsuccessful login attempts on a single account
- Multiple requests for access to a single file
- Use of a network port that was previously not in use
- Unauthorised changes to your registry or system files
- Domain name system (DNS) requests that occur suddenly and without notice
Lifecycle of Indicators of Compromise
1. Discovery
Your business can identify signs of compromise by:
- Looking through system logs.
- Analysing network traffic.
- Performing security scans.
- Receiving security alerts from devices and software.
2. Assessment
There are many tools and technologies that you can use to learn about a potential threat, including:
- Network traffic analysis
- Malware analysis
- System analysis
- Threat intelligence
3. Sharing
Once you have IOCs, you can share them with your employees, law enforcement agencies, or other businesses in your sector. When you do, you can:
- Find new ways to guard against threats.
- Identify cyberattack trends and patterns.
- Accelerate incident response and remediation.
4. Deployment
At this stage, you can implement security controls to enhance your cybersecurity posture. It is beneficial to establish multiple layers of controls so you can optimize your cyber protection.
5. Detection and Response
You can utilise multiple tools and techniques to monitor for IOCs. If an IOC is identified, you can:
- Isolate the affected system or network to prevent the threat from spreading.
- Block suspicious network traffic, quarantine infected systems, or take other steps to address the threat.
- Inform relevant stakeholders about the incident and the actions being taken to resolve it.
6. End of Life (EOL)
An IOC reaches the EOL stage when you have successfully mitigated it. Factors that can cause an IOC to no longer be relevant include:
- Technology changes: An IOC can become outdated due to the fact that certain technologies are not being used anymore.
- Evolving threat landscape: The threats you face can change as the cyberthreat landscape continues to evolve.
- Security enhancements: IOCs can become redundant or unnecessary after you invest in state-of-the-art security tools or technologies.
What is an Indicator of Attack (IOA)?
An indicator of attack (IOA) refers to evidence that shows a cybercriminal intends to attack your business. To understand how an IOA works, let's consider an example.
With phishing attacks, cybercriminals attempt to get a target to click on a link or open a document that infects their device. They must identify potential targets and consider how to attract their attention. Also, they must execute several steps to get victims to download malicious software.
IOAs emphasise the steps that cybercriminals will take to launch attacks. By keeping an eye out for these steps, your business can close security gaps. Most importantly, you can stop cyberattacks in their early stages or before they happen.
Examples of Indicators of Attack
- Communication between public servers that don't typically communicate with each other
- Communication between internal hosts with recipients outside the country where your company operates
- Connections to non-standard ports
- Malware that crops up within a few minutes of it being removed from an infected device
- User login that originates from multiple regions
Difference Between Indicators of Compromise and Indicators of Attack
Indicators of compromise are evidence that show a cyberattack is currently happening or has already occurred. As soon as a cybercriminal attacks your business, you can detect IOCs. These indicators can help you analyse the impact of an attack.
Comparatively, indicators of attack are evidence that show you could suffer a cyberattack soon. You can detect IOAs before a cyberattack or data breach. If you handle IOAs properly, you may be able to avoid data breaches.
Benefits of Monitoring for Indicators of Compromise
Monitoring for IOCs helps you rapidly identify and respond to security incidents. If left unaddressed, these incidents can disrupt your business, its employees, and its customers. These incidents can harm your brand reputation and financial performance. They can also compromise your business's sensitive data and lead to regulatory violations and penalties.
Challenges of Monitoring for Indicators of Compromise
Searching for IOCs is reactive — not proactive. Your business must wait for a cyberthreat to emerge across your IT infrastructure before an IOC is created for it. If you want to be proactive about cyber protection, your organization can invest in more robust cybersecurity prevention products and services. In doing so, you can utilize IOCs to supplement your overall cybersecurity strategy.
IOC Management Best Practices
- Establish identity and access management (IAM) controls so you can quickly and easily identify who has access to your data, systems, and networks.
- Segment your networks — in this manner, if a cybercriminal penetrates one of your networks, you can diminish the likelihood that this criminal can jeopardise all of them.
- Use threat intelligence to stay up to date on the cyberthreat landscape, track current and emerging threats, and find the best ways to guard against them.
- Utilise managed detection and response (MDR), EDR, XDR, threat intelligence platforms, and other security tools and technologies to manage IOCs.
- Automate indicators of compromise analysis and correlation so you can prioritise the most-pressing IOC alerts based on severity and respond to critical threats right away.
- Establish an incident response plan that enables you to utilise IOCs to assess the severity of an incident and resolve it as swiftly and efficiently as possible.
- Partner with an MSSP that can analyse your cybersecurity posture, identify gaps, and help you determine the best ways to address security vulnerabilities now and in the future.
- Share IOCs with industry partners, so you can collaborate with industry peers to tackle cyberthreats across your sector.
- Review IOCs regularly and establish a retention policy according to your industry's regulatory requirements and your company's needs.
Teach your employees about IOCs, what they are, how they work, and what they can do to protect against cyberthreats.
Related security topic: What is a honeypot in cyber security?