Indicators of Compromise (IoC) Definition
During a cybersecurity incident, indicators of compromise (IoC) are clues and evidence of a data breach. These digital breadcrumbs can reveal not just that an attack has occurred, but often, what tools were used in the attack and who’s behind them.
IoCs can also be used to determine the extent to which a compromise affected an organisation or to gather lessons learned to help secure the environment from future attacks. Indicators are typically collected from software, including antimalware and antivirus systems, but other artificial intelligence cybersecurity tools can be used to aggregate and organise indicators during incident response.
How do Indicators of Compromise Work?
As much as malware authors try to create software that always avoids detection, every application leaves evidence of its existence on the network. These clues can be used to determine whether the network is under attack or a data breach has occurred. Forensic investigators use these clues to aggregate evidence after a cybersecurity incident to prepare countermeasures and pursue criminal charges against an attacker. IoCs also reveal what data was stolen and the severity of the cybersecurity incident.
Think of indicators of compromise as the breadcrumbs left by an attacker after a cybersecurity incident. Anti-malware applications could partially stop the incident, but IoCs determine the data and files that were accessible to an attacker. They are crucial in finding vulnerabilities and exploits used by attackers to steal data because they offer the organisation information on the ways to better protect the network in the future.
Indicators of Compromise Vs. Indicators of Attack
Cybersecurity incidents have several phases. But in terms of investigations, there are two main concerns—is the attack ongoing, or has the issue been contained? Investigators use the indicators of compromise left by an attacker to answer both questions.
IoCs are used during incident response are used to determine the extent of an attack and data breached. Indicators of attack (IoA) are used to determine whether an attack is ongoing and must be contained before it can cause more damage.
Both IoC and IoA work with evidence and metadata that give investigators clues into the state of an attack. IoCs are used after an attack was contained, when the organisation needs to know where, what, and how. IoAs focus on a current attack that may be active and must be contained.
For extremely stealthy malware, a compromise could last for months before administrators are aware of it. IoAs will help determine whether suspicions are accurate or a false positive.
Examples of Indicators of Compromise
Large networks could have thousands of IoCs. For this reason, most evidence is aggregated and loaded into security event and event management (SIEM) systems to help forensic investigators organise data. Evidence can come from numerous locations, but here are a few discovery items that can be used as IoC:
- Unusual outbound traffic: Attackers will use malware to collect and send data to an attacker-controlled server. Outbound traffic during off-peak hours or traffic communicating with a suspicious IP could indicate a compromise.
- High-privilege user activity irregularities on sensitive data: Compromised user accounts are used to access sensitive data. A high-privileged user account is necessary for an attacker to access data that is otherwise locked down from standard user accounts with basic permissions. A high-privilege user account accessing sensitive data during off-peak hours or on files rarely accessed could indicate credentials were phished or stolen.
- Activity from strange geographic regions: Most organisations have traffic that comes from a targeted area. State-sponsored attacks and those that come from countries outside of the organisation’s targeted geographic area generate traffic indicators from outside of normal regions.
- High authentication failures: In account takeovers, attackers use automation to authenticate using phished credentials. A high rate of authentication attempts could indicate that an attacker has stolen credentials and is attempting to find an account that gives access to the network.
- Increase in database reads: Whether it’s SQL injection or access to the database directly using an administrator account, a dump of data from database tables could indicate that an attacker has stolen data.
- Excessive requests on important files: Without a high-privileged account, an attacker is forced to explore different exploits and find the right vulnerability to gain access to files. Numerous access attempts from the same IP or geographic region should be reviewed.
- Suspicious configuration changes: Changing configurations on files, servers, and devices could give an attacker a second backdoor to the network. Changes could also add vulnerabilities for malware to exploit.
- Flooded traffic to a specific site or location: A compromise on devices could turn them into a botnet. An attacker sends a signal to the compromised device to flood traffic at a specific target. High traffic activity from multiple devices to a specific IP could mean internal devices are part of a distributed denial-of-service (DDoS).
A compromise could be identified by one or several of the above indicators. A forensic investigator’s job is to go through all IoC evidence to determine what vulnerability was exploited.
Using Indicators of Compromise to Improve Detection and Response
After a cybersecurity incident, IoC can be used to establish what went wrong so that the organisation can avoid any future exploits from the same vulnerability.
In some cases, organisations fail to properly log and monitor the right resources. That oversight leaves them open to an attacker who can then avoid detection after an investigation. It’s important first to apply monitoring on the network to detect an attack, but for investigations, logs and audit trails are just as important.
IoC data points can be collected in real time to reduce response time during an investigation. SIEMs are used to separate noise from valuable evidence needed to identify an attack and its exploit vectors. Documenting current incident response procedures can also reduce the time it takes for an investigation. These procedures should be reviewed after a compromise to improve on them.
During incident response, the “lessons learned” phase is the last step. IoCs are be useful during this phase to identify what cybersecurity defences were incorrectly configured or insufficient to stop an attacker. The more thorough logs and audit trails organisation have, the more effective their investigation during incident response.