What are Indicators of Compromise? | Digital Guardian
文章推薦指數: 80 %
Indicators of compromise act as breadcrumbs that lead infosec and IT pros to detect malicious activity early in the attack sequence. These ... WhatareIndicatorsofCompromise?|DigitalGuardian IsYourTeamPreparedtoRespondtoanAttackataMoment’sNotice?DownloadtheIncidentResponder'sFieldGuidenowYou’llLearn:HowtobuildandsupportyourincidentresponseteamHowtocreateanddeployanincidentclassificationframeworkThemostcommonmistakesandhowtoavoidthemGETTHEEBOOKDATAINSIDERDigitalGuardian'sBlogPopularTopics:DataProtectionSecurityNewsThreatResearchIndustryInsightsSearchtheSite DataProtection101WhatareIndicatorsofCompromise?byNateLordonTuesdayDecember1,2020ContactUsFreeDemoChat LearnaboutindicatorsofcompromiseandtheirroleindetectionandresponseinDataProtection101,ourseriesonthefundamentalsofinformationsecurity.ADefinitionofIndicatorsofCompromiseIndicatorsofcompromise(IOCs)are“piecesofforensicdata,suchasdatafoundinsystemlogentriesorfiles,thatidentifypotentiallymaliciousactivityonasystemornetwork.”IndicatorsofcompromiseaidinformationsecurityandITprofessionalsindetectingdatabreaches,malwareinfections,orotherthreatactivity.Bymonitoringforindicatorsofcompromise,organizationscandetectattacksandactquicklytopreventbreachesfromoccurringorlimitdamagesbystoppingattacksinearlierstages.IndicatorsofcompromiseactasbreadcrumbsthatleadinfosecandITprostodetectmaliciousactivityearlyintheattacksequence.Theseunusualactivitiesaretheredflagsthatindicateapotentialorin-progressattackthatcouldleadtoadatabreachorsystemscompromise.But,IOCsarenotalwayseasytodetect;theycanbeassimpleasmetadataelementsorincrediblycomplexmaliciouscodeandcontentsamples.AnalystsoftenidentifyvariousIOCstolookforcorrelationandpiecethemtogethertoanalyzeapotentialthreatorincident.IndicatorsofCompromisevs.IndicatorsofAttackIndicatorsofattackaresimilartoIOCs,butratherthanfocusingonforensicanalysisofacompromisethathasalreadytakenplace,indicatorsofattackfocusonidentifyingattackeractivitywhileanattackisinprocess.Indicatorsofcompromisehelpanswerthequestion“Whathappened?”whileindicatorsofattackcanhelpanswerquestionslike“Whatishappeningandwhy?”AproactiveapproachtodetectionusesbothIOAsandIOCstodiscoversecurityincidentsorthreatsinasclosetorealtimeaspossible.ExamplesofIndicatorsofCompromiseThereareseveralindicatorsofcompromisethatorganizationsshouldmonitor.InanarticleforDarkReading,ErickaChickowskihighlights15keyindicatorsofcompromise:UnusualOutboundNetworkTrafficAnomaliesinPrivilegedUserAccountActivityGeographicalIrregularitiesLog-InRedFlagsIncreasesinDatabaseReadVolumeHTMLResponseSizesLargeNumbersofRequestsfortheSameFileMismatchedPort-ApplicationTrafficSuspiciousRegistryorSystemFileChangesUnusualDNSRequestsUnexpectedPatchingofSystemsMobileDeviceProfileChangesBundlesofDataintheWrongPlaceWebTrafficwithUnhumanBehaviorSignsofDDoSActivityGoDeeperAnalytics&ReportingCloudREADMOREUsingIndicatorsofCompromisetoImproveDetectionandResponseMonitoringforindicatorsofcompromiseenablesorganizationstobetterdetectandrespondtosecuritycompromises.CollectingandcorrelatingIOCsinrealtimemeansthatorganizationscanmorequicklyidentifysecurityincidentsthatmayhavegoneundetectedbyothertoolsandprovidesthenecessaryresourcestoperformforensicanalysisofincidents.IfsecurityteamsdiscoverrecurrenceorpatternsofspecificIOCstheycanupdatetheirsecuritytoolsandpoliciestoprotectagainstfutureattacksaswell.Thereisapushfororganizationstoreporttheseanalysesresultsinaconsistent,well-structuredmannertohelpcompaniesandITprofessionalsautomatetheprocessesusedindetecting,preventing,andreportingsecurityincidents.SomeintheindustryarguethatdocumentingIOCsandthreatshelpsorganizationsandindividualsshareinformationamongtheITcommunityaswellasimproveincidentresponseandcomputerforensics.TheOpenIOCframeworkisonewaytoconsistentlydescribetheresultsofmalwareanalysis.OthergroupssuchasSTIXandTAXIIaremakingeffortstostandardizeIOCdocumentationandreporting.Indicatorsofcompromiseareanimportantcomponentinthebattleagainstmalwareandcyberattacks.Whiletheyarereactiveinnature,organizationsthatmonitorforIOCsdiligentlyandkeepupwiththelatestIOCdiscoveriesandreportingcanimprovedetectionratesandresponsetimessignificantly.Tags:DataProtection101RecommendedResourcesBrowseResourcesanalystreportsBloor:TheImportanceofaDataProtectionPlatformforGDPRComplianceGettheReportwhitepaperThe2022DefinitiveGuidetoDataClassificationDownloadNowanalystreportsIDCReport:APracticalGuidetoGDPRGettheReportRelatedBlogPostsWhatistheNISDirective?Definition,Requirements,Penalties,BestPracticesforCompliance,andMoreNateLordWhatistheNISTCybersecurityFramework?ChrisBrookWhatisEndpointDetectionandResponse?ADefinitionofEndpointDetection&ResponseNateLordWhatisSECCybersecurity?ChrisBrook
延伸文章資訊
- 1What are Indicators of Compromise? | Digital Guardian
Indicators of compromise act as breadcrumbs that lead infosec and IT pros to detect malicious act...
- 2What are Indicators of Compromise (IOCs)? - UpGuard
- 3Indicators of Attack Vs. Indicators of Compromise - CrowdStrike
An IOC is often described in the forensics world as evidence on a computer that indicates that th...
- 4Indicators of Compromise (IOCs) - Fortinet
- 5Indicator of compromise - Wikipedia
Indicator of compromise (IoC) in computer forensics is an artifact observed on a network or in an...