Everything you need to know about indicators of compromise including how you can identify them to better protect your business.

Protecting your business against a cyberattack means diligently monitoring for activity that could indicate an attack is in progress or has already occurred. Locating these pieces of forensic data (such as data found in system log entries or files) ultimately helps you identify potentially malicious activity on your system or network.

Should your organization become an attack target or victim of a cyberattack, traces of the cybercriminals’ activity will remain in your system or log files. These breadcrumbs are called indicators of compromise (IOCs) and they’re used by information security and IT professionals to detect data breaches, ransomware attacks, malware infections, and any other cyber threats to your organization.

In this article we’ll explore everything you need to know about indicators of compromise: the benefits and drawbacks of being able to identify compromised systems, some common examples of IOCs, and what sort of anomalies you should look for to identify a compromised system, so you can better protect your business from future attacks.

Pros and Cons of Monitoring for Indicators of Compromise

Monitoring for IOCs means that your threat hunting team is looking for any unusual activity: red flags that could indicate a potential or in-progress attack. This will allow your business to better detect future attacks, act quickly to prevent breaches from occurring, and limit the extent of any damages by stopping advanced cyberattacks at earlier stages.

That said, IOCs are not always easy to detect. An indicator of compromise might be as simple as metadata elements, or it might consist of incredibly complex malicious code and content samples. To combat any discrepancies, analysts will often identify various IOCs and then piece them together to analyze a potential threat or incident.

To a certain extent, IOC monitoring is reactive by nature. If your organization finds an indicator, it’s likely that you’ve already been compromised. (Although if the event is in process, quick detection could help you contain the attack earlier in the attack lifecycle and limit the damage to your business.)

The data used to identify attacker activity while an attack is in process is called an indicator of attack (IOA). While IOCs focus on the forensic analysis of a compromise that has already taken place and ask, “What happened?” IOAs focus on the forensic analysis of a compromise that is taking place and ask, “What is happening, and why?”

An aggressive approach to detection will use both IOAs and IOCs to help discover any security incidents or threats as close to real time as possible. Therefore, the ability to detect both IOAs and IOCs is a crucial component of any comprehensive cybersecurity strategy. The earlier you can detect an attack, the less harm it is likely to have on your business — and the easier it will be to resolve.

There has also been a push to report these analyses in a consistent and well-structured manner, so that companies and IT professionals can create better automation for the processes that are used in detecting, preventing, and reporting security incidents.

Documenting IOCs and threats not only helps organizations and individuals share information among the IT community; it also helps to improve incident response and computer forensics. For instance, the OpenIOC Framework is one such way to describe the results of malware analysis consistently. Similarly, other groups like STIX and TAXII are also making efforts to standardize IOC documentation and reporting.

On the other hand, documenting and publicly reporting IOCs can also be beneficial for cybercriminals conducting reconnaissance. A public IOC database means that anyone can access it, including malicious actors, who will know which IOCs are most vulnerable by omission. Simply put, if an IOC isn’t on the list, that means it will be easier for the attack to go undetected.

Identifying IOCs, and especially recurring IOCs, will provide your organization with insight into the techniques and methodologies of the malicious actors who executed the attack. You should incorporate these insights into your security tooling, incident response capabilities, and cybersecurity policies, with the ultimate goal of preventing future attacks and securing your data.

Next we’ll look at some examples of IOCs, what your business should monitor to identify them, and the best practices for combating them.

Common Examples of Indicators of Compromise

As stated before, IOCs can range widely in type and complexity. This list of the top 15 examples of IOCs should give you an idea of just how much they can vary:

  • Unusual outbound network traffic
  • Anomalies in privileged user account activity
  • Geographical irregularities
  • Log-in red flags
  • Increase in database read volume
  • HTML response times
  • Large numbers of requests for the same file
  • Mismatched port-application traffic
  • Suspicious registry or system file changes
  • Unusual DNS requests
  • Unexpected patching of systems
  • Mobile device profile changes
  • Bundles of data in the wrong place
  • Web traffic with unhuman behavior
  • Signs of DDos activity

We’ve taken some of the most common examples of IOCs, and broken them down with some suggestions about what you can do to prevent future threat activity in these areas.

Unusual Network Behavior

To reach your valuable information assets, attackers will attempt to breach your network by targeting unsecured ports, penetrating network security, or abusing network access. Any traffic from compromised servers will leave distinctly visible patterns that can be analyzed for information or used to mitigate an attack. Identifying this type of traffic early in the attack lifecycle will help you respond before your data is lost or damaged.

Before you start analyzing network traffic data for signs of malicious activity, you should begin by monitoring and classifying usage to distinguish normal patterns from unusual traffic. This will give you a baseline, against which you can compare any unusual network behavior.

Then, you should begin to monitor and track:

  • Mismatched port application traffic. Communications on any non-standard ports could indicate command and control traffic.
  • Outbound connections from internal and DMZ systems. This includes connection count, user, bandwidth, and count of unique destinations.
  • The largest file transfers (inbound and outbound) or the largest sessions by bytes transferred. This could indicate blatant data theft and bandwidth abuse.
  • Internal information assets that trigger alerts from multiple sources.
  • Single sources creating a high volume of requests for a specific file.

When detecting unusual network behavior, keep some best practices in mind. First, always trace connections to your network from the outside to detect intrusions, compromises, malicious software, and even users abusing network access.

You should also log network flow to record all access to and from the internet, even laterally. If a breach does occur, any logs you keep can help you trace it to its origin. This is where Network Behavior Anomaly Detection (NBAD) and Network Behavior Analysis (NBA) can be particularly useful.

Anomalies in User Authentication and Authorization

No matter the industry, authentication is the main barrier that attackers face when attempting to gain access into your network. They will do almost anything to bypass authentication and authorization, including breaking passwords or using tokens and cryptographic measures to gain access to your valuable enterprise information, and escalating privileges of user accounts they’ve successfully hacked.

Here are some things you should look for when monitoring user anomalies:

  • Systems accessed, type and volume of data accessed, and time of the activity.
  • Authentication activity. This includes anomalies in privileged user account activity; login failures and successes by user, system, and unit; and authentication failures by a unique system or unique login attempts per machine.
  • Login irregularities. Such as logins from unusual places, multiple IP addresses in a short period of time, excessive failed logins or attempts, and irregular working hours.

The best practices for user authentication and authorization include having a policy or good tools for monitoring accounts, and classifying typical usage patterns with an effective logging system and a baseline for normal activity.

You should also create profiles based on normal user behavior that record successes as well as failures, so you are better able to contrast irregular actions and detect anomalies. This is where user-behavior analytics (UBA) can be particularly helpful.

Suspicious Registry Changes

If an attacker compromises your system, it’s likely that he will leave behind signs of tampering in the registry — specifically with system files and configurations.

To locate any suspicious registry changes, you should monitor:

  • Specific registry keys and entries. Look for anything unusual or anomalous.
  • Activity on endpoints. In the event of an attack, this will allow you to identify the attack kill chain and root cause, which will help you with response and recovery.

When monitoring for suspicious registry changes, relying on these best practices should help. First, start with a “template of normalcy” and then monitor for any changes that could indicate a registry-based IOC.

You should also remotely scan typical locations for malicious programs and use endpoint detection and response (EDR) tools to help.

DNS Request Anomalies and IP Network Irregularities

Most of the time, malware in your system will communicate with its command and control infrastructure or malicious domains and generate anomalous DNS requests.

Here are some things you should monitor to detect any DNS request anomalies and IP network irregularities:

  • Patterns of DNS requests to external hosts. You should also check this against IP addresses, geoIP and host reputation data.
  • Transient traffic patterns. Patterns for domains being used in attacks are often faster and shorter than the norm to remain under the radar.

The best practices for this type of monitoring include using predictive IP-based threat intelligence and applying algorithms to traffic patterns to hone in on any malicious activity. You should also use DNS services that add protection features such as phishing protection and content filtering. And for detection, you should use filtering solutions that are tied to threat intelligence tools.

ZenGRC Can Help Protect Your Business

For most organizations, identifying IOCs isn’t an easy task. Typically, it’s a job that’s handled almost exclusively by trained infosec professionals. Using advanced technology, they scan and analyze tremendous amounts of network traffic and isolate any suspicious activity. Many organizations, however, simply lack the funding to take on such a task on their own.

That’s where cybersecurity solutions can help. The right governance, risk, and compliance (GRC) software will provide you with greater visibility across your organization to better manage risks and mitigate business exposure.

With ZenGRC from Reciprocity, risk management all but takes care of itself — leaving you to other, more pressing concerns, like boosting your business and your bottom line.

Designed to help businesses stay ahead of ever-evolving security threats, ZenGRC can help you pinpoint risks by probing your systems and finding cybersecurity and compliance gaps. It can also help you prioritize those risks and assign tasks to members of your team, and its user-friendly dashboard lets you see in a glance the status of each risk, and what needs to be done to address it (and in what order).

ZenGRC simplifies cybersecurity risk and compliance with complete views of control environments and easy access to the information necessary for risk evaluation and management, so your organization can meet its cybersecurity requirements across a variety of frameworks.

It also generates an audit trail of your risk management activities, and stores all documentation in a “single source of truth” repository for easy retrieval come audit time. And it allows for unlimited self-audits so you always know where your organization’s risk management and compliance efforts stand. ZenGRC also stays up to date in real time with changing compliance regulations so you don’t have to.

Schedule a free demo today to see how ZenGRC can help your business begin monitoring for IOCS and create a risk management program that’s designed to protect your business.