What Are Indicators of Compromise (IoC) | Proofpoint US
文章推薦指數: 80 %
During a cybersecurity incident, indicators of compromise (IoC) are clues and evidence of a data breach. These digital breadcrumbs can reveal not just that an ... Skiptomaincontent Glossary WhatareIndicatorsofCompromise? WhatareIndicatorsofCompromise? RealDefenseforRealBusinessesWebinar IndicatorsofCompromise(IoC)Definition Duringacybersecurityincident,indicatorsofcompromise(IoC)arecluesandevidenceofadatabreach.Thesedigitalbreadcrumbscanrevealnotjustthatanattackhasoccurred,butoften,whattoolswereusedintheattackandwho’sbehindthem. IoCscanalsobeusedtodeterminetheextenttowhichacompromiseaffectedanorganizationortogatherlessonslearnedtohelpsecuretheenvironmentfromfutureattacks.Indicatorsaretypicallycollectedfromsoftware,includingantimalwareandantivirussystems,butotherartificialIoCcybersecuritytoolscanbeusedtoaggregateandorganizeindicatorsduringincidentresponse. HowdoIndicatorsofCompromiseWork? Asmuchasmalwareauthorstrytocreatesoftwarethatalwaysavoidsdetection,everyapplicationleavesevidenceofitsexistenceonthenetwork.Thesecluescanbeusedtodeterminewhetherthenetworkisunderattackoradatabreachhasoccurred.Forensicinvestigatorsusethesecluestoaggregateevidenceafteracybersecurityincidenttopreparecountermeasuresandpursuecriminalchargesagainstanattacker.IoCsalsorevealwhatdatawasstolenandtheseverityofthecybersecurityincident. Thinkofindicatorsofcompromiseasthebreadcrumbsleftbyanattackerafteracybersecurityincident.Anti-malwareapplicationscouldpartiallystoptheincident,butindicatorsofcompromisedeterminethedataandfilesthatwereaccessibletoanattacker.Theyarecrucialinfindingvulnerabilitiesandexploitsusedbyattackerstostealdatabecausetheyoffertheorganizationinformationonthewaystobetterprotectthenetworkinthefuture. IndicatorsofCompromiseVs.IndicatorsofAttack WhatisanIoCcomparedtoanIoA?Cybersecurityincidentshaveseveralphases.Butintermsofinvestigations,therearetwomainconcerns—istheattackongoing,orhastheissuebeencontained?Investigatorsusetheindicatorsofcompromiseleftbyanattackertoanswerbothquestions. IoCsecurityusedduringincidentresponseisusedtodeterminetheextentofanattackanddatabreached.Indicatorsofattack(IoA)areusedtodeterminewhetheranattackisongoingandmustbecontainedbeforeitcancausemoredamage. BothIoCcybertoolsandIoAtoolsworkwithevidenceandmetadatathatgiveinvestigatorscluesintothestateofanattack.Indicatorsofcompromiseareusedafteranattackwascontained,whentheorganizationneedstoknowwhere,what,andhow.Indicatorsofattackfocusonacurrentattackthatmaybeactiveandmustbecontained. Forextremelystealthymalware,acompromisecouldlastformonthsbeforeadministratorsareawareofit.IoAswillhelpdeterminewhethersuspicionsareaccurateorafalsepositive. ExamplesandTypesofIndicatorsofCompromise LargenetworkscouldhavethousandsofIoCs.Forthisreason,mostevidenceisaggregatedandloadedintoIoCsecurityeventandeventmanagement(SIEM)systemstohelpforensicinvestigatorsorganizedata.Evidencecancomefromnumerouslocations,buthereareafewdiscoveryitemsthatcanbeusedasIoC: Unusualoutboundtraffic:Attackerswillusemalwaretocollectandsenddatatoanattacker-controlledserver.Outboundtrafficduringoff-peakhoursortrafficcommunicatingwithasuspiciousIPcouldindicateanIoCsecuritythreat. High-privilegeuseractivityirregularitiesonsensitivedata:Compromiseduseraccountsareusedtoaccesssensitivedata.Ahigh-privilegeduseraccountisnecessaryforanattackertoaccessdatathatisotherwiselockeddownfromstandarduseraccountswithbasicpermissions.Ahigh-privilegeuseraccountaccessingsensitivedataduringoff-peakhoursoronfilesrarelyaccessedcouldindicatecredentialswerephishedorstolen. Activityfromstrangegeographicregions:Mostorganizationshavetrafficthatcomesfromatargetedarea.State-sponsoredattacksandthosethatcomefromcountriesoutsideoftheorganization’stargetedgeographicareageneratetrafficindicatorsfromoutsideofnormalregions. Highauthenticationfailures:Inaccounttakeovers,attackersuseautomationtoauthenticateusingphishedcredentials.Ahighrateofauthenticationattemptscouldindicatethatanattackerhasstolencredentialsandisattemptingtofindanaccountthatgivesaccesstothenetwork. Increaseindatabasereads:Whetherit’sSQLinjectionoraccesstothedatabasedirectlyusinganadministratoraccount,adumpofdatafromdatabasetablescouldindicatethatanattackerhasstolendata. Excessiverequestsonimportantfiles:Withoutahigh-privilegedaccount,anattackerisforcedtoexploredifferentexploitsandfindtherightvulnerabilitytogainaccesstofiles.NumerousaccessattemptsfromthesameIPorgeographicregionshouldbereviewed. Suspiciousconfigurationchanges:Changingconfigurationsonfiles,servers,anddevicescouldgiveanattackerasecondbackdoortothenetwork.Changescouldalsoaddvulnerabilitiesformalwaretoexploit. Floodedtraffictoaspecificsiteorlocation:Acompromiseondevicescouldturnthemintoabotnet.Anattackersendsasignaltothecompromiseddevicetofloodtrafficataspecifictarget.HightrafficactivityfrommultipledevicestoaspecificIPcouldmeaninternaldevicesarepartofadistributeddenial-of-service(DDoS). Anindicationofcompromisecouldbeidentifiedasoneorseveraloftheseindicators.Aforensicinvestigator’sjobistogothroughallIoCevidencetodeterminewhatvulnerabilitywasexploited. UsingIoCSecurityDetectiontoImproveResponse Afteranincident,IoCcybersecuritymeasurescanbeusedtoestablishwhatwentwrongsothattheorganizationcanavoidanyfutureexploitsfromthesamevulnerability. Insomecases,organizationsfailtoproperlylogandmonitortherightresources.Thatoversightleavesthemopentoanattackerwhocanthenavoiddetectionafteraninvestigation.It’simportantfirsttoapplymonitoringonthenetworktodetectanattack,butforinvestigations,logsandaudittrailsarejustasimportant. IoCdatapointscanbecollectedinrealtimetoreduceresponsetimeduringaninvestigation.SIEMsareusedtoseparatenoisefromvaluableevidenceneededtoidentifyanattackanditsexploitvectors.Documentingcurrentincidentresponseprocedurescanalsoreducethetimeittakesforaninvestigation.Theseproceduresshouldbereviewedafteracompromisetoimproveonthem. Duringincidentresponse,the“lessonslearned”phaseisthelaststep.IoCsarebeusefulduringthisphasetoidentifywhatcybersecuritydefenseswereincorrectlyconfiguredorinsufficienttostopanattacker.Themorethoroughlogsandaudittrailsorganizationhave,themoreeffectivetheirinvestigationduringincidentresponse. BusinessEmailCompromiseandEmailAccountCompromiseProtection Learnhowtoprotectyourcompanyagainstbusinessemailcompromise(BEC)usingProofpoint'sBusinessEmailCompromiseProtection–learnwhatitisandhowitworks. ReadMore WhatisEmailAccountCompromise(EAC)? You’veprobablyheardofthetermBusinessEmailCompromise(BEC)before.ButmaybenotthetermEmailAccountCompromise(EAC),whichisaclosecousinofBEC. ReadMore FiveStepstoCombatBusinessEmailCompromise Asfraudstersbecomemoresophisticated,we’reseeingmoreBECvariantssuchasgiftcardscams,payrolldiversionandsupplierinvoicingfraud. ReadMore PreviousGlossary NextGlossary
延伸文章資訊
- 1What Are Indicators of Compromise (IoC) | Proofpoint US
During a cybersecurity incident, indicators of compromise (IoC) are clues and evidence of a data ...
- 2What is an indicator of compromise (IoC)?
In the field of computer security, an Indicator of compromise (IoC) is an object or activity that...
- 3What are Indicators of Compromise? | Digital Guardian
Indicators of compromise act as breadcrumbs that lead infosec and IT pros to detect malicious act...
- 4Indicators of Attack Vs. Indicators of Compromise - CrowdStrike
An IOC is often described in the forensics world as evidence on a computer that indicates that th...
- 5Indicators of Compromise (IOCs) - Fortinet
