An IOC is a piece of forensic data that has the potential to identify malicious activity on a system. In other words, an IOC is a red flag that alerts threat hunters to a potential threat.
Common IOCs that are useful for external intelligence include static ones like registry keys and IP status domains. The best way to identify if these IOCs are present is checking against the firewall or antivirus.
For example, asking the question, “Has this domain ever been accessed by my organization?” can give you valuable information into whether your system has been communicating with a malicious external server.
TOP 10 INDICATORS OF COMPROMISE
1.) Outbound Network Traffic
When there are suspicious traffic patterns on the network, this could be a sign that something is amiss.
2.) Privileged User Account Activity
If privileged users change their typical behavior, this could be a sign of an account takeover.
3.) Geography
Geography is used to flag fraud across industries, most notably in banking. If a user is logging in from somewhere wildly outside their usual patterns, this could be a sign of an intruder accessing their account.
4.) Login Attempts
Attempting to login to an account, but using the incorrect username or password repeatedly, or alternatively logging on after hours and accessing privileged files, may signal a malicious user.
5.) Database Reads
If an attacker has entered the system, they will most likely try to exfiltrate data. This creates a large volume of database reads, which should be flagged assuming it is unusual for the operation.
6.) HTML Response
A good way to identify a SQL injection trying to extract a large amount of data through a Web application is the size of the HTML response. For example, if the size of the response is many MB, this is a sign something is amiss - the normal response is only around 200 KB.
7.) Requests Across Domain for One File
Attackers may attempt to locate one file across the domain. In this instance, they may change the URL on each request, but continue to look for the same file. Most individuals will not query a file in the hundreds of times at different URLs on the domain, so this is suspicious activity.
8.) Port
If an application is using a port for an unusual request, or a port that is obscure and rarely used, this is an easy in for an attacker.
9.) Registry Changes
Creating persistence is an important goal for a lot of malware. Any unusual changes to the registry are a big sign of trouble.
10.) DNS Queries
DNS queries are often used to communicate back to a Webserver. This traffic often has a distinct pattern, which over time is easier to recognize.
IOEs describe security weaknesses that are particular to an enterprise network and can be exploited by an attacker. It is not enough to only catalog a list of vulnerabilities. Consideration must be given to those vulnerabilities that are not only exposed to a potential attack, but also put key assets at risk.
IOEs are determined by analyzing multiple factors, i.e., events as opposed to observing a single one. An unexpected firewall rule change is an event, but an unexpected firewall rule change that opens up an access path to a critical asset is an IOE. By linking together IOEs with an understanding of network topology and assets, enterprises can discern which attack vectors are most likely to be exploited in a multistep attack.
Working with identified IOEs rather than raw vulnerabilities and other risk data also allows security teams to use the power of contextual analysis to determine actions that will significantly reduce the size of their attack surface with less effort than a “fix everything” approach.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM