What Are Indicators of Compromise (IoC) | Proofpoint US
文章推薦指數: 80 %
During a cybersecurity incident, indicators of compromise (IoC) are clues and evidence of a data breach. These digital breadcrumbs can reveal not just that an ... Skiptomaincontent Glossary WhatareIndicatorsofCompromise? WhatareIndicatorsofCompromise? RealDefenseforRealBusinessesWebinar IndicatorsofCompromise(IoC)Definition Duringacybersecurityincident,indicatorsofcompromise(IoC)arecluesandevidenceofadatabreach.Thesedigitalbreadcrumbscanrevealnotjustthatanattackhasoccurred,butoften,whattoolswereusedintheattackandwho’sbehindthem. IoCscanalsobeusedtodeterminetheextenttowhichacompromiseaffectedanorganizationortogatherlessonslearnedtohelpsecuretheenvironmentfromfutureattacks.Indicatorsaretypicallycollectedfromsoftware,includingantimalwareandantivirussystems,butotherartificialIoCcybersecuritytoolscanbeusedtoaggregateandorganizeindicatorsduringincidentresponse. HowdoIndicatorsofCompromiseWork? Asmuchasmalwareauthorstrytocreatesoftwarethatalwaysavoidsdetection,everyapplicationleavesevidenceofitsexistenceonthenetwork.Thesecluescanbeusedtodeterminewhetherthenetworkisunderattackoradatabreachhasoccurred.Forensicinvestigatorsusethesecluestoaggregateevidenceafteracybersecurityincidenttopreparecountermeasuresandpursuecriminalchargesagainstanattacker.IoCsalsorevealwhatdatawasstolenandtheseverityofthecybersecurityincident. Thinkofindicatorsofcompromiseasthebreadcrumbsleftbyanattackerafteracybersecurityincident.Anti-malwareapplicationscouldpartiallystoptheincident,butindicatorsofcompromisedeterminethedataandfilesthatwereaccessibletoanattacker.Theyarecrucialinfindingvulnerabilitiesandexploitsusedbyattackerstostealdatabecausetheyoffertheorganizationinformationonthewaystobetterprotectthenetworkinthefuture. IndicatorsofCompromiseVs.IndicatorsofAttack WhatisanIoCcomparedtoanIoA?Cybersecurityincidentshaveseveralphases.Butintermsofinvestigations,therearetwomainconcerns—istheattackongoing,orhastheissuebeencontained?Investigatorsusetheindicatorsofcompromiseleftbyanattackertoanswerbothquestions. IoCsecurityusedduringincidentresponseisusedtodeterminetheextentofanattackanddatabreached.Indicatorsofattack(IoA)areusedtodeterminewhetheranattackisongoingandmustbecontainedbeforeitcancausemoredamage. BothIoCcybertoolsandIoAtoolsworkwithevidenceandmetadatathatgiveinvestigatorscluesintothestateofanattack.Indicatorsofcompromiseareusedafteranattackwascontained,whentheorganizationneedstoknowwhere,what,andhow.Indicatorsofattackfocusonacurrentattackthatmaybeactiveandmustbecontained. Forextremelystealthymalware,acompromisecouldlastformonthsbeforeadministratorsareawareofit.IoAswillhelpdeterminewhethersuspicionsareaccurateorafalsepositive. ExamplesandTypesofIndicatorsofCompromise LargenetworkscouldhavethousandsofIoCs.Forthisreason,mostevidenceisaggregatedandloadedintoIoCsecurityeventandeventmanagement(SIEM)systemstohelpforensicinvestigatorsorganizedata.Evidencecancomefromnumerouslocations,buthereareafewdiscoveryitemsthatcanbeusedasIoC: Unusualoutboundtraffic:Attackerswillusemalwaretocollectandsenddatatoanattacker-controlledserver.Outboundtrafficduringoff-peakhoursortrafficcommunicatingwithasuspiciousIPcouldindicateanIoCsecuritythreat. High-privilegeuseractivityirregularitiesonsensitivedata:Compromiseduseraccountsareusedtoaccesssensitivedata.Ahigh-privilegeduseraccountisnecessaryforanattackertoaccessdatathatisotherwiselockeddownfromstandarduseraccountswithbasicpermissions.Ahigh-privilegeuseraccountaccessingsensitivedataduringoff-peakhoursoronfilesrarelyaccessedcouldindicatecredentialswerephishedorstolen. Activityfromstrangegeographicregions:Mostorganizationshavetrafficthatcomesfromatargetedarea.State-sponsoredattacksandthosethatcomefromcountriesoutsideoftheorganization’stargetedgeographicareageneratetrafficindicatorsfromoutsideofnormalregions. Highauthenticationfailures:Inaccounttakeovers,attackersuseautomationtoauthenticateusingphishedcredentials.Ahighrateofauthenticationattemptscouldindicatethatanattackerhasstolencredentialsandisattemptingtofindanaccountthatgivesaccesstothenetwork. Increaseindatabasereads:Whetherit’sSQLinjectionoraccesstothedatabasedirectlyusinganadministratoraccount,adumpofdatafromdatabasetablescouldindicatethatanattackerhasstolendata. Excessiverequestsonimportantfiles:Withoutahigh-privilegedaccount,anattackerisforcedtoexploredifferentexploitsandfindtherightvulnerabilitytogainaccesstofiles.NumerousaccessattemptsfromthesameIPorgeographicregionshouldbereviewed. Suspiciousconfigurationchanges:Changingconfigurationsonfiles,servers,anddevicescouldgiveanattackerasecondbackdoortothenetwork.Changescouldalsoaddvulnerabilitiesformalwaretoexploit. Floodedtraffictoaspecificsiteorlocation:Acompromiseondevicescouldturnthemintoabotnet.Anattackersendsasignaltothecompromiseddevicetofloodtrafficataspecifictarget.HightrafficactivityfrommultipledevicestoaspecificIPcouldmeaninternaldevicesarepartofadistributeddenial-of-service(DDoS). Anindicationofcompromisecouldbeidentifiedasoneorseveraloftheseindicators.Aforensicinvestigator’sjobistogothroughallIoCevidencetodeterminewhatvulnerabilitywasexploited. UsingIoCSecurityDetectiontoImproveResponse Afteranincident,IoCcybersecuritymeasurescanbeusedtoestablishwhatwentwrongsothattheorganizationcanavoidanyfutureexploitsfromthesamevulnerability. Insomecases,organizationsfailtoproperlylogandmonitortherightresources.Thatoversightleavesthemopentoanattackerwhocanthenavoiddetectionafteraninvestigation.It’simportantfirsttoapplymonitoringonthenetworktodetectanattack,butforinvestigations,logsandaudittrailsarejustasimportant. IoCdatapointscanbecollectedinrealtimetoreduceresponsetimeduringaninvestigation.SIEMsareusedtoseparatenoisefromvaluableevidenceneededtoidentifyanattackanditsexploitvectors.Documentingcurrentincidentresponseprocedurescanalsoreducethetimeittakesforaninvestigation.Theseproceduresshouldbereviewedafteracompromisetoimproveonthem. Duringincidentresponse,the“lessonslearned”phaseisthelaststep.IoCsarebeusefulduringthisphasetoidentifywhatcybersecuritydefenseswereincorrectlyconfiguredorinsufficienttostopanattacker.Themorethoroughlogsandaudittrailsorganizationhave,themoreeffectivetheirinvestigationduringincidentresponse. BusinessEmailCompromiseandEmailAccountCompromiseProtection Learnhowtoprotectyourcompanyagainstbusinessemailcompromise(BEC)usingProofpoint'sBusinessEmailCompromiseProtection–learnwhatitisandhowitworks. ReadMore WhatisEmailAccountCompromise(EAC)? You’veprobablyheardofthetermBusinessEmailCompromise(BEC)before.ButmaybenotthetermEmailAccountCompromise(EAC),whichisaclosecousinofBEC. ReadMore FiveStepstoCombatBusinessEmailCompromise Asfraudstersbecomemoresophisticated,we’reseeingmoreBECvariantssuchasgiftcardscams,payrolldiversionandsupplierinvoicingfraud. ReadMore PreviousGlossary NextGlossary
延伸文章資訊
- 1Indicators of Compromise (IOCs) - Fortinet
- 2Indicators of Compromise (IOC) Security - CrowdStrike
An Indicator of Compromise (IOC) is a piece of digital forensics that suggests that an endpoint o...
- 3Indicators of compromise - Definition - Trend Micro
Indicators of compromise (IOCs) serve as forensic evidence of potential intrusions on a host syst...
- 4What are Indicators of Compromise (IOCs)? - UpGuard
- 5What are Indicators of Compromise? | Digital Guardian
Indicators of compromise act as breadcrumbs that lead infosec and IT pros to detect malicious act...
