Indicators of Compromise (IOC) Security - CrowdStrike

An Indicator of Compromise (IOC) is a piece of digital forensics that suggests that an endpoint or network may have been breached. Cybersecurity101› IndicatorsofCompromise(IOC) IndicatorsofCompromise(IOC)Security May13,2021 IndicatorsofCompromiseExplained AnIndicatorofCompromise(IOC)isapieceofdigitalforensicsthatsuggeststhatanendpointornetworkmayhavebeenbreached.Justaswithphysicalevidence,thesedigitalclueshelpinformationsecurityprofessionalsidentifymaliciousactivityorsecuritythreats,suchasdatabreaches,insiderthreatsormalwareattacks. Investigatorscangatherindicatorsofcompromisemanuallyafternoticingsuspiciousactivityorautomaticallyaspartoftheorganization’scybersecuritymonitoringcapabilities.Thisinformationcanbeusedtohelpmitigateanin-progressattackorremediateanexistingsecurityincident,aswellascreate“smarter”toolsthatcandetectandquarantinesuspiciousfilesinthefuture. Unfortunately,IOCmonitoringisreactiveinnature,whichmeansthatifanorganizationfindsanindicator,itisalmostcertainthattheyhavealreadybeencompromised.Thatsaid,iftheeventisin-progress,thequickdetectionofanIOCcouldhelpcontainattacksearlierintheattacklifecycle,thuslimitingtheirimpacttothebusiness. Ascybercriminalsbecomemoresophisticated,indicatorsofcompromisehavebecomemoredifficulttodetect.ThemostcommonIOCs—suchasanmd5hash,C2domainorhardcodedIPaddress,registrykeyandfilename—areconstantlychanging,whichmakesdetectionmoredifficult. HowtoIdentifyIndicatorsofCompromise Whenanorganizationisanattacktargetorvictim,thecybercriminalwillleavetracesoftheiractivityinthesystemandlogfiles.Thethreathuntingteamwillgatherthisdigitalforensicdatafromthesefilesandsystemstodetermineifasecuritythreatordatabreachhasoccurredorisin-process. IdentifyingIOCsisajobhandledalmostexclusivelybytrainedinfosecprofessionals.Oftentheseindividualsleverageadvancedtechnologytoscanandanalyzetremendousamountsofnetworktraffic,aswellasisolatesuspiciousactivity. Themosteffectivecybersecuritystrategiesblendhumanresourceswithadvancedtechnologicalsolutions,suchasAI,MLandotherformsofintelligentautomationtobetterdetectanomalousactivityandincreaseresponseandremediationtime. WhyYourOrganizationShouldMonitorforIndicatorsofCompromise Theabilitytodetectindicatorsofcompromiseisacrucialelementofeverycomprehensivecybersecuritystrategy.IOCscanhelpimprovedetectionaccuracyandspeed,aswellasremediationtimes.Generallyspeaking,theearlieranorganizationcandetectanattack,thelessimpactitwillhaveonthebusinessandtheeasieritwillbetoresolve. IOCs,especiallythosethatarerecurring,providetheorganizationwithawindowintothetechniquesandmethodologiesoftheirattackers.Assuch,organizationscanincorporatetheseinsightsintotheirsecuritytooling,incidentresponsecapabilitiesandcybersecuritypoliciestopreventfutureevents. ExamplesofIndicatorsofCompromise Whatarethewarningsignsthatthesecurityteamislookingforwheninvestigatingcyberthreatsandattacks?Someindicatorsofcompromiseinclude: Unusualinboundandoutboundnetworktraffic Geographicirregularities,suchastrafficfromcountriesorlocationswheretheorganizationdoesnothaveapresence Unknownapplicationswithinthesystem Unusualactivityfromadministratororprivilegedaccounts,includingrequestsforadditionalpermissions Anuptickinincorrectlog-insoraccessrequeststhatmayindicatebruteforceattacks Anomalousactivity,suchasanincreaseindatabasereadvolume Largenumbersofrequestsforthesamefile Suspiciousregistryorsystemfilechanges UnusualDomainNameServers(DNS)requestsandregistryconfigurations Unauthorizedsettingschanges,includingmobiledeviceprofiles Largeamountsofcompressedfilesordatabundlesinincorrectorunexplainedlocations TheDifferenceBetweenIndicatorofCompromises(IoCs)andIndicatorsofAttack(IoAs) AnIndicatorofAttack(IOA)isrelatedtoanIOCinthatitisadigitalartifactthathelpstheinfosecteamevaluateabreachorsecurityevent.However,unlikeIOCs,IOAsareactiveinnatureandfocusonidentifyingacyberattackthatisinprocess.Theyalsoexploretheidentityandmotivationofthethreatactor,whereasanIOConlyhelpstheorganizationunderstandtheeventsthattookplace. FeaturedArticles WhatisaCyberattack IOAvsIOC