Indicators of compromise

What are indicators of compromise?

Indicators of compromise (IOCs) are forensic evidence of discrepancies, or unusual activities in the organization's network, that help identify security threats, data breaches, insider threats, and more before any harm occurs. IOCs act not just as a warning sign for impending attacks, but they also help in analyzing what has happened. By learning about possible security threats, organizations can deploy their counter security measures to limit or prevent damage to their network.

Types of indicators of compromise

There are five primary types of IoCs you can use to identify if your environment has been compromised:

  1. File-based IoCs: Malicious file downloads can infect the organization's ecosystem. They are identified via atypical file extension types, unusual file names and file paths, malicious file hashes, and file size anomalies.
  2. Network-based IoCs: Any suspicious activities that take place within the network are indicated by network-based IoCs such as malicious IP addresses, domain names, or URLs. Sudden spikes in network traffic can also indicate that the network has been compromised.
  3. Behavioral IoCs: Any activities that deviate from the normal functioning of systems or users, such as multiple failed login attempts, unusual user behavior during non-business hours, unanticipated system crashes, abnormal network connections, and high memory usage, are clear behavioral IoCs.
  4. Registry-based IoCs: The presence of certain entries within the Windows Registry potentially indicates that a cyberattack is ongoing or has occurred. Examples include registry key deletions and unusual registry values.
  5. Host-based IoCs: Suspicious changes made to system settings, permissions, and processes indicate a potentially compromised endpoint.

Indicators of compromise examples

IOCs appear in various guises, such as anomalous user behavior, unwarranted file activities, unusual network traffic, and more. All these signs are stored in an IOC database over the internet that helps you identify signals of a vulnerability. Some databases also allow you to upload the IOC information identified within your network. The most common indicators of compromise are:

  • Rise in database read volume

    Personal information and critical business data are stored in secure databases, making them prime target for attackers. A sudden spike in read volume, which indicates the number of users who accessed the database, is a sign of data exfiltration.

  • Geographical irregularities

    Telltale signs that something is wrong occurs when you find login patterns, or access attempts coming from a region where your organization does not operate. IP addresses are crucial indicators that help you identify the geographical origin of the attack.

  • Anomalies in privileged user accounts

    Hackers often try to access data by escalating the privileges of low-level user accounts. Any sudden changes in user account activity, such as a sudden spike in permission changes, can indicate a possible insider attack.

  • Unusual outbound network traffic

    This sign indicates when unusual network activities are found as intruders try to extract data, or when information is being sent to a command and control server.

  • Suspicious registry changes

    When malware enters the system, it attempts to change registry and system files. Keeping an eye on registry changes helps identify the presence of malware.

  • Increased request for the same file

    Attackers try several tactics to identify the most successful one. If a file receives several requests over a short period, it is a sign that you might be under attack.

Indicators of compromise vs. indicators of attack

Understanding the differences between indicators of compromise (IoCs) and indicators of attack (IoAs) is essential to investigating security incidents. These differences are described below:

  • Indicators of compromise: Indicators of compromise help you spot past security incidents. They aid in mitigating known threats with the help of past findings made from forensic investigations. Security teams use them to identify threats with similar patterns so they can take corrective measures.
  • Indicators of attack: Indicators of attack signal that there is an ongoing cyberattack or that a malicious intrusion is likely to occur. Identifying a malicious entity with the help of indicators of compromise can aid you in reducing the attack surface and remediating the organizational environment.

How can ManageEngine DataSecurity Plus help identify indicators of compromise?

IOC scanners, or IOC finders, are special tools used exclusively to search for indicators of compromise. DataSecurity Plus' security incident response software helps you find these red flags in your organization:

Unusual file accesses

Keep yourself informed of anomalous activities, like file changes, that occur during non-business hours using the file server auditing solution.

Excessive privilege escalation

Track permission changes in real-time using the share and NTFS permission auditing tool to ensure privileges are not elevated without authorization.

Spikes in file read volume

Receive instant email alerts when a file receives multiple read requests in a short span using the file activity monitoring tool.

Disconnect rogue users session

Run custom scripts as a response to unauthorized modifications made to system files by blocking them using the file integrity monitoring software.

Use of shadow applications

Keep yourself informed about all the actors who pose a threat by accessing shadow cloud applications using the cloud protection tool.

Anomalous data transfer

Analyze files that are moved or copied to USB devices, and trigger alerts in case of unwarranted file transfers using the USB data theft protection tool.

Download a free, 30-day trial
Email Download Link