What are IOCs?
These are known as Indicators of Compromise...
IOCs are a little different from Indicators of Attack (IOAs), IOCs focus on examining what happened after an attack has occurred, whereas IOAs focus on identifying the activity associated with the attack while the attack is happening.
IOCs are pieces of actual forensic data or artifacts, or remnant of an intrusion that can identify potentially malicious activity on your networks and systems. These are markers of 'unusual activities' and serve as RED FLAGS that indicate a potential or in-progress attack that could lead to a data breach or systems compromise.
Some of these artifacts are found on event logs and timestamped entries in the system, as well as on its applications and services. Security professionals also employ various tools that monitor IOCs.
IOCs are very helpful to you as they assist you in detecting all sorts of data-breaches, malware infections, or any other suspicious activity that may be launched by threat-actors.
It is fundamental to cybersecurity that you continuously monitor IOCs, as IOCs practically act as if they are breadcrumbs... you follow the breadcrumbs and you are led to malicious activity early in the attack sequence.
But, IOCs are not always easy to detect; they can be as simple as metadata elements or incredibly complex malicious code and content samples that require advanced reverse engineering and analysis. IOCs are nothing but the cumulative results of a process of pulling all these different pieces together.
Security Analysts often identify various IOCs to look for correlation and piece them together to analyze a potential threat or incident. Every time when multiple IOCs correlate strongly, then you may assume that there exist a security threat or a network intrusion, and it is time to send in your CSIRT team.
If you are a security analyst, incident responder or threat researcher, the your ability to collect, record and notate IOCs in a detailed manner cannot be stressed enough. Being able to demonstrate the Who, What, Where, When, How and (assuming you have enough data, the ‘Why’) is invaluable!
If your security teams discover recurrence or patterns of specific IOCs, they can update their security tools and policies to protect against future attacks as well.
-
Threat Intelligence is the cornerstone
Threat intelligence refers to evidence-based knowledge that can specifically be used to prevent cyber attacks. Threat intelligence can include many things, for example:
-
Context-dependent threat indicators
-
Mechanisms of attack (TTPs)
-
Attack vectors
-
Indicators of compromise (IOCs)
-
Other information, etc
Though your company can develop your own threat-intel, through your own activities and interactions -- by discovering a suspicious event, identifying it as a security incident, correlating it with a specific type of attack from a specific source, etc.
However, most companies worldwide prefer the threat-intelligence feeds from security vendors and Open-sourced Threat-intel feeds. You can in fact, source it from multiple third-parties. It is far better approach, as there is so match that goes into the development/creation of right set of IOCs pertaining to any malicious activity!
If your company has access to up-to-date threat intelligence, your can heavily automate the process of searching for IoC. It would leave your security analysts free to focus on innovation, as well as disaster recovery and incident response preparation and strategy.
-
15-Indicators of Compromise
While researching on Internet, I have found a list of 15-Indicators of Compromise:
-
Unusual outbound network traffic
-
Anomalies in privileged user account activity
-
Geographical irregularities
-
Other log-in red flags
-
Swells in database read volume
-
HTML response sizes
-
Large numbers of requests for the same file
-
Mismatched port-application traffic
-
Suspicious registry or system file changes
-
DNS request anomalies
-
Unexpected patching of systems
-
Mobile device profile changes
-
Bundles of data in the wrong places
-
Web traffic with unhuman behavior
-
Signs of DDoS activity
-
How to identify IOCs?When your organization is an attack target or a victim, the cybercriminal will leave some traces of their activity in the system and log files. Your threat hunting team will gather this digital forensic data from these files and systems to determine if a security threat or data breach has occurred or is in-process.
Identifying IOCs is a job handled almost exclusively by trained infosec professionals. Often these individuals leverage advanced technology to scan and analyze tremendous amounts of network traffic, as well as isolate suspicious activity.
The most effective cybersecurity strategies blend human-resources with advanced technological solutions, such as AI, ML and other forms of intelligent automation to better detect anomalous activity and increase response and remediation time.
-
IOC Documentation & Recording
Some in the industry argue that documenting IOCs and threats helps organizations and individuals share information among the IT community as well as improve incident response and computer forensics.
The OpenIOC framework is one way to consistently describe the results of malware analysis. Other groups such as STIX and TAXII are making efforts to standardize IOC documentation and reporting.
-
IOCs are an important component in your battle against malware and cyberattacks. While they are reactive in nature, if your organization monitors for IOCs diligently and keep up with the latest IOC discoveries and reporting, then you can improve your detection rates and response times significantly.
Kindly write 
your comments on the posts or topics, because when you do that you help me greatly in 
designing new quality article/post on cybersecurity.
your comments on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.You can also share with all of us if the information shared here helps you in some manner.
Life is small and make the most of it!
Also take care of yourself and your beloved ones…
With thanks,
Meena R.
______
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM