Why are indicators of compromise important?

With the help of the Indicators of Compromise, you and your team can identify malicious activity or security threats, such as data breaches, insider threats, or malware attacks. Therefore, security breaches can take different forms: unknown files on the system, strange network patterns, unusual account behaviors, or unexplained configurations. In this article, you will learn how to recognize eight types of indicators to protect your business!

What exactly are the Indicators of Compromise?

Indicators of compromise or IoCs are clues and evidence of a data breach, usually seen during a cybersecurity attack. These indicators can reveal that an attack has happened, what tools were used in the attack, and who’s behind them. They are typically collected from software, including antivirus and antimalware systems; for a better understanding, try to think of indicators of compromise as the breadcrumbs left by an attacker after a cybersecurity attack.

How do IoCs work?

When a malware attack happens, traces of its activity can be left in the system and log files. If a security breach is found, the IoC or “forensic data” is collected from these files and by IT professionals. These clues can be used to determine whether a data breach has occurred or that the network is under attack. Identifying IOCs is almost entirely handled by trained information security professionals. Usually, these people use advanced technology to scan and analyze large network traffic and isolate suspicious activities.

The most effective cybersecurity strategy combines human resources with advanced technological solutions (such as AI, ML, and other forms of intelligent automation) to better detect abnormal activity and increase response and remediation time.

How can you recognize the indicators?

There are some common IoCs that enterprise organizations should know to detect and investigate! Here are some more common indicators of compromise for you to remember:

1. Unusual outbound network traffic

• Anomalies in network traffic patterns and volumes are one of the most common signs of a security breach.
• Although keeping intruders out of your network is becoming increasingly difficult. Some experts say that it might be easier to monitor outgoing traffic for potential Indicators of Compromise.
• When an intruder tries to extract data from your network or when an infected system relays information to a command-and-control server, unusual outbound network traffic may be detected.

2. Activity from strange geographic areas

• If, for example, your entire business operation is based in Los Angeles, United States, you should be shocked to see a user connecting to your network from another place, especially from another country with a bad reputation for international cybercrime.
• Benjamin Caudill, the principal consultant for Rhino Security, says that: “As to data-breach clues, one of the most useful bits I’ve found is logs showing an account logging in from multiple IPs in a short time period, particularly when paired with geolocation tagging. More often than not, this is a symptom of an attacker using a compromised set of credentials to log into confidential systems.”
• Monitoring IP addresses on the network and where they come from is an easy way to detect cyber attacks before they can do real damage to your organization.

3. Unexplained activity by Privileged User Accounts

•  In complex cyberattacks, such as advanced persistent threats, a common method is to compromise low-privileged user accounts before escalating their privileges and authorizations or exposing the attack vector to accounts with more privileges.
• When security operators notice suspicious behavior from privileged user accounts, this may be evidence of internal or external attacks on the organization’s systems and data.

4. Substantial rise in database read volume

• Most of the companies store their most personal and confidential data in database format. Therefore, your databases will always be a prime target for attackers.

• A spike in database read volume represents a good indicator that an attacker is trying to infiltrate your data.

Kyle Adams, chief software architect for Junos WebApp Secure at Juniper Networks, says that:

“When the attacker attempts to extract the full credit card database, it will generate an enormous amount of read volume, which will be way higher than you would normally see for reads on the credit card tables.”

Kyle Adams

5. High authentication failures

In account takeovers, attackers use automation to authenticate using phished credentials. A high rate of authentication attempts might indicate than someone has stolen credentials and is attempting to find an account that gives access to the network.

6. Lots of requests on important files

• Without a high-privileged account, an attacker is forced to explore different resources and find the right vulnerability to access files.
• When the attackers find signs that an exploit might be successful, they’ll often use different permutations to launch it.
• Kyle Adams stated the following: “you might see a single user or IP making 500 requests for ‘join.php,’ when normally a single IP or user would only request that page a few times max.”

7. Suspicious configuration changes

You may not even know, but changing configurations on files, servers, and devices could give the attacker a second backdoor to the network. Changes could also add vulnerabilities for malware to exploit.

8. Indicators of DDoS attacks (Distributed Denial of Service)

• These attacks happen when a malicious actor tries to shut down a service by flooding it with traffic and requests from a network of a controlled machine, called a botnet.
• DDoS are frequently used as smokescreens to camouflage other more harmful attacks.
• Sings of DDoS: slow network performance, unavailability of websites, firewall failover, back-end systems working at max capacity for unknown reasons.
• Ashley Stephenson, CEO at Corero Network Security, says that:

“In addition to overloading mainstream services, it is not unusual for DDoS attacks to overwhelm security reporting systems, such as IPS/IDS or SIEM solutions. This presents new opportunities for cybercriminals to plant malware or steal sensitive data. As a result, any DDoS attack should also be reviewed for related data breach activity.”

Ashley Stephenson

Conclusion

After an attack, IoC cybersecurity measures can be used to establish what went wrong so that your business can avoid future exploits from the same vulnerability. It is important to apply to monitor on the network to detect an attack, but for investigations, logs and audit trails are just as important. The more rigorous logs and audit trails organizations have, the more effective their investigation during incident response! To prevent the attacks and save your business, make sure to observe in time those previous red flags we told you about!

Traffic leaving the network is an indicator that IT teams use to identify potential issues. If outbound traffic patterns are suspiciously unusual, the IT team can keep a close eye on it to check if something is amiss. Because this traffic originates from within the network, it is often the easiest to monitor, and if action is taken right away, it can be used to stop many kinds of threats.

Privileged user accounts typically have access to special or particularly sensitive areas of the network or applications. Therefore, if anomalies are spotted, they can help IT teams identify an attack early in the process, potentially before it has done significant damage. Anomalies can include a user trying to escalate privileges of a particular account or use the account to access others with more privileges.

If there are login attempts from countries with which your organization does not typically do business, this can be a sign of a potential security compromise. It can be evidence of a hacker in another country trying to get inside the system.

When a legitimate user tries to log in, they are typically successful within a few tries. Therefore, if an existing user tries to log in many times, this may indicate an attempt to penetrate the system by a bad actor. Also, if there are failed logins with user accounts that do not exist, this can indicate someone is testing out user accounts to see if one of them will provide them with illicit access.

When an attacker tries to exfiltrate your data, their efforts may result in a swell in read volume. This can occur as the attacker gathers your information in an attempt to extract it.

If the typical Hypertext Markup Language (HTML) response size is relatively small, but you notice a far larger response size, it may indicate that data has been exfiltrated. The mass of data results in a larger HTML response size as the data is transmitted to the attacker.

Hackers often try again and again to request files they are trying to steal. If the same file is being requested many times, this may indicate a hacker is testing out several different ways of requesting the files, hoping to find one that works.

Attackers may exploit obscure ports as they execute an attack. Applications use ports to exchange data with a network. If an unusual port is being used, this can indicate an attacker attempting to penetrate the network through the application or to affect the application itself.

Malware often includes code that makes changes to your registry or system files. If there are suspicious changes, that may be an IOC. Establishing a baseline can make it easier to spot changes made by attackers.

Hackers often use command-and-control (C&C) servers to compromise a network with malware. The C&C server sends commands to steal data, interrupt web services, or infect the system with malware. If there are anomalous Domain Name System (DNS) requests, particularly those that come from a certain host, this can be an IOC. 

Also, the geolocation of the requests can help IT teams sniff out potential issues, especially if the DNS request is coming from a country where legitimate users typically do not hail from.