Indicator of compromise

What is an indicator of compromise?

Indicators of compromise (IOCs) are forensic evidence of discrepancies, or unusual activities in the organization's network, that help identify security threats, data breaches, insider threats, and more before any harm occurs. IOCs act not just as a warning sign for impending attacks, but they also help in analyzing what has happened. By learning about possible security threats, organizations can deploy their counter security measures to limit or prevent damage to their network.

Indicators of compromise examples

IOCs appear in various guises, such as anomalous user behavior, unwarranted file activities, unusual network traffic, and more. All these signs are stored in an IOC database over the internet that helps you identify signals of a vulnerability. Some databases also allow you to upload the IOC information identified within your network. The most common indicators of compromise are:

  • Rise in database read volume

    Personal information and critical business data are stored in secure databases, making them prime target for attackers. A sudden spike in read volume, which indicates the number of users who accessed the database, is a sign of data exfiltration.

  • Geographical irregularities

    Telltale signs that something is wrong occurs when you find login patterns, or access attempts coming from a region where your organization does not operate. IP addresses are crucial indicators that help you identify the geographical origin of the attack.

  • Anomalies in privileged user accounts

    Hackers often try to access data by escalating the privileges of low-level user accounts. Any sudden changes in user account activity, such as a sudden spike in permission changes, can indicate a possible insider attack.

  • Unusual outbound network traffic

    This sign indicates when unusual network activities are found as intruders try to extract data, or when information is being sent to a command and control server.

  • Suspicious registry changes

    When malware enters the system, it attempts to change registry and system files. Keeping an eye on registry changes helps identify the presence of malware.

  • Increased request for the same file

    Attackers try several tactics to identify the most successful one. If a file receives several requests over a short period, it is a sign that you might be under attack.

How can ManageEngine DataSecurity Plus help identify indicators of compromise?

IOC scanners, or IOC finders, are special tools used exclusively to search for indicators of compromise. DataSecurity Plus' security incident response software helps you find these red flags in your organization:

Unusual file accesses

Keep yourself informed of anomalous activities, like file changes, that occur during non-business hours using the file server auditing solution.

Excessive privilege escalation

Track permission changes in real-time using the share and NTFS permission auditing tool to ensure privileges are not elevated without authorization..

Spikes in file read volume

Receive instant email alerts when a file receives multiple read requests in a short span using the file activity monitoring tool.

Disconnect rogue users session

Run custom scripts as a response to unauthorized modifications made to system files by blocking them using the file integrity monitoring software.

Use of shadow applications

Keep yourself informed about all the actors who pose a threat by accessing shadow cloud applications using the cloud protection tool.

Anomalous data transfer

Analyze files that are moved or copied to USB devices, and trigger alerts in case of unwarranted file transfers using the USB data theft protection tool.

Download a free, 30-day trial
Email Download Link