Cyber Security » How-to

Threat hunting: Indicators of Compromise(IoCs)

Quick search

    Threat hunting is the process of searching for underlying and undetected threats in your network. Malicious actors often trespass the network perimeter defenses and stealthily lurk inside your environment before carrying out an attack. Once the attacker is into your network, it is difficult to identify and combat the Advanced Persistent Threats (APTs) they could pose.

    But, with threat hunting you can search for underlying and undetected threats in your network and mitigate them at an early stage to harden the security of your network.

    Threat hunters, a team of cybersecurity professionals, assume that an attacker is already present inside your network and look for the following information:

    • Malicious IPs, domains, URLs, and hashes
    • Indicators of Compromise (IoCs)
    • Indicators of Attack (IoAs)
    • Tactics, Techniques, and Procedure (TTPs) of attackers.

    What are Indicators of Compromise (IoCs)?

    Indicators of Compromise are forensic evidence that determines any form of intrusion in a network. Any malicious activity that is deviant from normal network behavior could be an IoC. You can monitor your network for known IoCs by sourcing them from threat intelligence feeds.

    Why is monitoring your network for IoCs important?

    IT admins lookout for multiple IoCs in your network, correlate and analyze them to identify threats and attack patterns. You can also equip your security solutions and IT teams to detect and mitigate threats posed by common IoCs. The IoCs documented in your network should also be shared in the IT community to educate and alert organizations about potential threats as mentioned in the STIX/TAXII protocols.

    Are you monitoring your network for these important IoCs?

    1. Privileged user activity monitoring
    2. Privileged user accounts are important targets for attackers. You should monitor these accounts and check for:

      • Any sudden spike in activities
      • Attempting logins at unusual hours
      • Accessing critical files for more times than necessary
      • Granting unnecessary permissions to other user accounts
      • Enabling or disabling user accounts
      • Reading and modifying databases
    3. Unnecessary data accumulation
    4. Attackers often accumulate data at certain points in your network and exfiltrate it at unusual hours. If you come across huge volumes of data being archived and stored at certain places in your network, this is an indication that your network has been penetrated by attackers and data exfiltration can be carried out at any moment.

    5. Unusual network traffic pattern
    6. It is important to check for inbound and outbound network traffic pattern changes in your network. You should also check if any network connection attempts have been made from a foreign country that your organization doesn't do business with. This means that an attacker is passively trying to gain access to your network.

    7. Multiple requests for the same file
    8. When you spot a user sending more than 500 requests to access a single file, which on any given day is accessed just 4 or 5 times by the same user, this is a potential IoC. In this case, it is highly likely that the attacker present in your network wants to access a file and is trying to do so in multiple ways.

    Monitoring logs effectively.

    All the above mentioned anomalies and other such malicious activities are recorded in your log files. You can mitigate threats by monitoring the logs collected in your network efficiently. Sourcing IoCs from threat analytic feeds, monitoring your network for the IoCs, and alerting the IT admins in case of an anomaly can all be done easily using an effective management solution.

    EventLog Analyzer is a log management solution that can help you look for IoCs in your environment as it incorporates threat analytic feeds from STIX, TAXII, and AleinVault OTX platforms. It uses its powerful correlation engine to spot anomalies across your network and generates comprehensive reports on all network activities. Alerts can be configured for malicious activities to notify IT security admins in real-time via SMS and email to prevent threats and attacks. You can also configure incident workflows to respond to threats and mitigate them at an early stage.Learn more about EventLog Analyzer.

    EventLog Analyzer

    EventLog Analyzer, a one-stop log management solution, collects, analyzes, correlates, and archives log data from you on-premises as well as cloud network. With its in-depth log analysis capability, EventLog Analyzer helps enterprises to thwart security threats in real-time, spot anomalous user behaviors, and manage security incidents effectively. Want to know how our solution helps you protect your cloud environment? Check out.

    Download now

    EventLog Analyzer Trusted By

    Los Alamos National Bank Michigan State University
    Panasonic Comcast
    Oklahoma State University IBM
    Accenture Bank of America
    Infosys
    Ernst Young

    Customer Speaks

    • Credit Union of Denver has been using EventLog Analyzer for more than four years for our internal user activity monitoring. EventLog Analyzer provides great value as a network forensic tool and for regulatory due diligence. This product can rapidly be scaled to meet our dynamic business needs.
      Benjamin Shumaker
      Vice President of IT / ISO
      Credit Union of Denver
    • The best thing, I like about the application, is the well structured GUI and the automated reports. This is a great help for network engineers to monitor all the devices in a single dashboard. The canned reports are a clever piece of work.
      Joseph Graziano, MCSE CCA VCP
      Senior Network Engineer
      Citadel
    • EventLog Analyzer has been a good event log reporting and alerting solution for our information technology needs. It minimizes the amount of time we spent on filtering through event logs and provides almost near real-time notification of administratively defined alerts.
      Joseph E. Veretto
      Operations Review Specialist
      Office of Information System
      Florida Department of Transportation
    • Windows Event logs and device Syslogs are a real time synopsis of what is happening on a computer or network. EventLog Analyzer is an economical, functional and easy-to-utilize tool that allows me to know what is going on in the network by pushing alerts and reports, both in real time and scheduled. It is a premium software Intrusion Detection System application.
      Jim Lloyd
      Information Systems Manager
      First Mountain Bank

    Awards and Recognitions

    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    A Single Pane of Glass for Comprehensive Log Management

    © 2020 Zoho Corporation Pvt. Ltd. All rights reserved.