Malicious actors are sneaky. If their tactics, techniques and procedures (TTPs) were obvious, their attacks wouldn’t be successful. Security teams would detect them before they achieved their objectives, and they wouldn’t be able to hide in systems and networks. However, once security professionals identify an attack type, they provide details that other security teams can use to actively look for these evasive threat actors.
Indicators of Compromise (IoCs) are a critical component of external risk monitoring because they provide information about how threat actors use a company’s digital footprint during an attack.
What is an Indicator of Compromise (IoC)?
Indicators of Compromise (IoCs) are the forensic data, often contained in system logs and timestamps, that security professionals use to investigate whether malicious actors have infiltrated systems or networks. Using the clues, security teams can proactively look for malicious activity suggesting that an attack occurred, including the tools used and who used them.
IoCs are a type of technical threat intelligence that security teams use during threat hunting and incident response. IoCs provide information about unusual behavior that can include:
- Abnormal login behavior and credential use
- Anomalous network traffic
- Suspicious changes to registries and file systems
Security teams typically use IoCs to help them detect cybersecurity issues like:
- Credential theft
- Data exfiltration
What are the types of IoCs?
When you understand the types of IoCs, you can more effectively use them as part of your external risk monitoring. Since attackers increasingly leverage public-internet-facing assets during attacks, IoCs give the specific technical information that help you identify potential risks.
Anomalous Privileged Activity
Privileged accounts have nearly unfettered access to systems, networks, devices, and data. Since these can make significant changes, attackers actively seek to use this access.
Some things that security teams should look for include:
- Standard accounts with newly escalated privileged access
- Privileged users making unexpected changes to systems, files, and folders
- Privileged accounts being used during unexpected days or times
Businesses know where their employees live and where they do business. Detecting account logins from geographic regions outside these can indicate a potential attacker with access to systems or networks.
Failed Account Logins
Typically, people manage to login to their accounts in one or two tries, even if they forget their password. However, having a high volume of failed login attempts for a single user, new account, or nonexistent account can indicate a potential credential-based attack.
Increased Database Read Volume
When someone reads your database, they generate traffic. If you detect an unexplained increase in database read volume, it can mean that an attacker is looking for information in your database prior to downloading it.
Large HTML Response Sizes
Whenever someone makes a request to a web application or web server, the technology issues a Hypertext Markup Language (HTML) response. A typical HTML response size is 260 KB so something abnormally larger, like 50MG, could indicate an attacker is trying to look for a web application or server security vulnerability.
High Request Volumes for the Same File
When someone accesses a file, the technology creates a record of the request. When attackers try to gain unauthorized access to a file, they may try different ways to do it. When you get a high volume of requests for the same file, it can indicate an attack.
Abnormal Port-Application Traffic
Every application protocol uses a unique port number identifier, similar to how devices use unique IP addresses. When attackers attempt to infiltrate networks, they often try to find a way in through an application. Noticing an application exchanging data via an abnormal port can indicate an attacker trying to use the application to penetrate the network or access the application.
Suspicious Changes to Registry or System Files
In Windows, a registry file is a text-based file that stores the technical setting for the operating system and applications. A system file is a critical file that processes, operating systems, applications, and device drivers use to operate properly. Often, attackers often incorporate code in their malware that makes changes to these files so that they can achieve persistence while remaining undetected. Noticing abnormalities in these files or changes in how the technologies work can indicate a malware attack.
Anomalous DNS Requests
A DNS request is a computer sending a message that identifies itself to a web application, server, or database when it wants data from the asset, and then the asset responds back. As part of an attack, malicious actors often use command-and-control (C&C) servers to deploy malware. When the C&C server communicates with the digital asset, it sends DNS requests. If you detect DNS requests from an abnormal host or geographic location, it can indicate attackers trying to steal information.
What are IOCs used for?
Security teams use IoCs as part of their proactive security monitoring and their reactive incident response processes. In an attack’s aftermath, security researchers and protection agencies will release a list of IoCs.
For example, the Cybersecurity & Infrastructure Security Agency (CISA) released an updated Cybersecurity Advisory (CSA) about threat actors exploiting multiple unpathed VMware vulnerabilities, identifying the following IoCs:
- A malicious shell script
- Customized GET requests
- Copies of abnormal webshells
- Copies of commands that attackers use
- Lists of IP addresses associated with attacks
- Snort signatures to help detect malicious network traffic
- YARA rules to identify post-exploitation tools
- Domains associated with the attack
- Scanning, exploitation strings, and commands observed
- Files detected
Several of these IoCs leverage the public internet. For example, the customized GET requests indicate that an external entity is using the internet to access a digital asset or exfiltrate data.
Threat hunting is a proactive security activity where security professionals look through systems to find attacks that may have evaded their detections. Security teams can use these to help them go searching for activities associated with the attack, enabling them to uncover incidents that their alerts may have missed. For example, security teams can search their logs for the identified GET requests to see if any known abnormal activity is occurring.
Security teams can use IoCs to build better detection rules so that they can identify and block attackers before they gain unauthorized access. For example, if you build security alerts that use the YARA rules and Snort signatures for known attacks, attackers are less likely to evade detection.
A detection notifies you something happened, but the investigation tells you what that something was. Security teams use IoCs as part of their investigations to look for specific activities that align with known attacks. For example, if you know that your system could be impacted by an unpatched VMware, you could use the IoCs in the CSA to focus your investigation. When you reduce Mean Time To Investigate (MTTI), you also reduce Mean Time To Contain (MTTC), and Mean Time to Recover (MTTR) because all three activities are related to one another.
Flare: Automated External Attack Surface Management
With Flare’s automated, real-time view of your digital footprint, you can efficiently focus on high-risk public facing assets. Using Flare, you can identify misconfigured assets to reduce the number of potential attack vectors.
Get started in just fifteen minutes with a free trial.