previous arrow
next arrow
Slider

What Is an Indicator of Compromise (IOC), and How Can It Help You in Cybersecurity?

 Published: October 29, 2022  Created: October 29, 2022

By James MacMullen

An indicator of compromise (IOC) refers to something left by a cyberattacker on your system. Whether this was intentional or a mistake might not be clear initially. A cyberattacker might leave an indicator of compromise directly through system activity or indirectly through system modification.

Cyberattackers often take months to implement, escalate, and position their attacks correctly. In turn, this gives your cybersecurity teams more than enough time to find and stop a potential attack. An indicator of compromise can help you determine if an attack is happening. It can also give you the necessary breadcrumbs to help you determine what the attacker is after in the first place.

In this article, you’ll learn what an indicator of compromise is in more detail. I’ll also provide several examples where using one might prove beneficial for your cybersecurity practices.

Let’s begin with a definition!

What Is an Indicator of Compromise?

An indicator of compromise refers to the disturbed ground and artifacts left by a cyberattacker during and after an attack. This can include anything from altered or deleted files to logged events. Information security (InfoSec) professionals and admins can use these artifacts to detect future intrusions. Further, they can use them to determine the reason for the attack.

In addition, an indicator of compromise can help you understand malware or attack techniques. It can also help in patch creation and remediation strategy formation.

Now that you know what an indicator of compromise is, it’s time to look at some examples! These examples can give you an idea of what to look out for during and after a cyberattack.

14 Ways an IOC Can Help You Refine Your Cybersecurity Practices

Below are 14 common examples where using an indicator of compromise will prove useful. Remember that any change to your system can be useful to you as an indicator of compromise. To this end, the list below isn’t exhaustive, so use your discretion and judgment when necessary.

1. Suspicious Privileged User Activity

Most cyberattacks need some form of privilege escalation to initiate a cyberattack. In essence, you should look out for any suspicious privileged activity. You can do this by checking your server, administrative, platform, and database logs. If anything looks suspicious, raise an alert as soon as possible.

2. Errors during Login Activities

ybercriminals sometimes use brute-force attacks to pass the hash by using dictionary attacks. Businesses often safeguard against these attacks by using timeouts to stop users from entering credentials for a few seconds. Another way you can defend against these attacks is by allowing the user a few guesses before a reset.

That said, you should search all logs for login mismatches or errors in the passwords entered. For instance, many error messages might include ones for special characters not used in your password system. Dictionaries not optimized for a specific system may add a Greek character, for instance. Most error messages will flag this. For large logs, you can filter by error type and use the “Ctrl-F” search function to speed up the search process. 

3. DNS Requests

Domain Name System (DNS) converts human-readable names to or from the IP address that your network and the internet use. As an indicator of compromise, you can check your DNS logs for foreign DNS or IP addresses outside of operational normality.

4. Unhuman Web Traffic

This indicator of compromise involves using common sense to assess if your network traffic makes sense. You can use your logs or proprietary software to help you with that. In short, ask yourself why an administrator is logging in to your system at three in the morning, for instance. Remember that cyberattackers often need administrative privileges to run the majority of attacks.

5. Unusual Outbound Network Traffic

Cyberattackers use attacks to extract information from a network, such as business intellectual property. To this end, you should monitor how much data is often outbound. Then, you shoulduse this as a benchmark when assessing anonymous outbound activity. An intrusion detection system (IDS) and/or intrusion prevention system (IPS) hosted around your network can help you create a baseline.

6. Strange Geographical Locations

You can use geofencing or geotagging as an indicator of compromise. Here, you’ll see if connections are coming from locations your business has dealings with. If you notice any suspicious locations popping up, it might be a cyberattacker trying to access your network. Most router or cybersecurity solutions can create alerts and push notifications based on the connection’s location. In turn, these can let you know if an attack is in progress.

7. Increased Database Read Volume

Almost every platform we use requires a database to store information for queries. Some cybercriminals might want to go directly after sensitive data in your database. Others might want access to the rest of your system by fuzzing the database through an external interface

For instance, an attack could start with attackers adding random code into a website’s search box to see what it returns. Once an attacker receives enough backend functions, they can access your database for administrator privileges. In turn, this allows them to access the rest of the platform. A database monitoring tool can notify you of any fuzzing attacks taking place.

Another solution is to use timeouts on database commits to slow down attackers. Slowing the commits used in a querying process can make it almost impossible for cybercriminals to map the database and access your system. Because of this, consider using long and complex database passwords and usernames for your database user. You only need to enter these credentials when adding platforms or upgrading, but it can help reduce brute-force attacks for database credentials. Never use default or generic database credentials. Similarly, never assume that they’re not publicly accessible.

8. Unusual HTML Response Sizes

For web-based platforms, the response size is a metric that helps developers assess a website’s performance. Moreover, you can use this metric as an indicator of compromise to determine if someone added code to your platform. In short, this added code could equate to someone trying to steal your credentials or doing something nefarious. 

Therefore, it’s useful to create a tree diagram of your web application and define what each page size is. You can do this by using a browser’s development tools or assessing the file size for each page on the server. You can check the file sizes periodically and put this information in a periodic report for your system. Often, in the case of reports, it’s handy to have the previous report sizes specified for the reader and yourself.

9. Mobile Device Profiles Changes

Businesses often set up mobile devices specific to their security policies. Any changes in mobile device profiles could indicate a compromise. However, they can also indicate a platform update that propagates developer changes, which could override your initial selection. Therefore, always treat profile changes with suspicion. You can verify what caused the changes by looking at the update logs.

10. Signs of DDoS Activity

You should find it relatively easy to spot Distributed Denial-of-Service (DDoS) activity. Essentially, attackers use bots located on different machines previously compromised in a DDoS attack. Your platforms will suddenly stop working due to a surge of queries needing processing. 

To help prevent these attacks, you should overprovision resources across your system. Administrators often do this by providing 500% more capacity than needed. That said, this is a speculative rule of thumb. To elaborate, you can add more or less depending on what you decide is suitable. Lastly, remember that this doesn’t stop a DDoS attack entirely. It’s simply a way to provide more resources than the attack can handle.

11. Incorrectly Placed Data Bundles

Your system works to a logical rationale. Thus, finding data in the wrong location is an indicator of compromise. This could be the result of a cyberattacker modifying your system, or the data was simply added by the attacker. One solution is to scan files and compare them against a controlled environment if you’re unsure. Additionally, remember to check if your certificates are correct and up-to-date.

12. Suspicious Port-Application Traffic

Some attacks work by changing the port used to communicate with various systems. This often happens to bypass “hardening” countermeasures. A cyberattacker can also use this to bypass areas that administrators didn’t appropriately harden. One common mistake administrators make is adding traffic rules to an intended connection route but forgetting the FTP port. As a result, bad actors can easily bypass security measures. You tend to also see this with HTTP and HTTPS connection routes.

13. Registry or System File Changes

The registry is your roadmap to resources, so any could be indicative of an attack taking place. Cyberattackers might add files to your registry without you knowing. This indicator of compromise should motivate you to monitor your registry closely. Various third-party utilities can also help you check code copies of your registry or security software solution.

14. Abrupt Patching

Patches fix exploits, yet some attacks install malware using the same process. Cybercriminals often use an injection attack to implement their malware. In short, they add the malware to your machine’s RAM, and the patch then runs off the flash memory. 

This means the attacker will never need to ask permission to save the malware to a hard drive location. Additionally, flash memory is a random jumble of data at any point in time, making it impossible for security software to scan for malware. In essence, a patching attack can happen in any of your current sessions. If you suspect something is wrong and your computer starts patching without your consent, switch your machine off. In turn, the attacker will have to reinject the malicious payload.

Those are 14 examples of how using an indicator of compromise can be beneficial in stopping or hindering cyberattackers. Let’s recap.

Final Thoughts

To conclude, cyberattackers are sneaky individuals that seek to harm you by stealing your valuable data. They can sometimes be sloppy and leave behind an indicator that can expose them. Using an indicator of compromise is one solution to avoiding future attacks. You can use them to determine the attacker’s objective and attack mechanism.

The above list is simply a taste of what you can expect in the wild. In short, most attacks require escalated privileges of some sort. To this end, consider saving this article as a reference for future use.


https://techgenix.com/indicator-of-compromise-ioc/


No Thoughts on What Is an Indicator of Compromise (IOC), and How Can It Help You in Cybersecurity?

Leave A Comment