Indicators of Compromise Definition
What are indicators of compromise? Indicators of Compromise are pieces of data that indicate the presence of malicious activity on a system or network. They can be found in logs, files, and other areas where hackers might leave their mark. The more indicators an organization tracks for IOCs, the higher likelihood it has to prevent breaches from happening before they cause damage.
Indicators of compromise are the breadcrumbs that lead infosec and IT pros to detect malicious activity early in the attack sequence. These unusual activities can be as simple as metadata elements or incredibly complex, like malicious code samples.
Indicators of Compromise vs. Indicators of Attack
Indicators of attack are similar to indicators of compromise but focus on identifying the attacker rather than what happened after they were successful.
Indicators of Compromise Examples
There are 15 key indicators of compromise that companies should look out for, according to this article by Ericka Chickowski.
- Unusual traffic coming from outbound network connections.
- There are anomalies in the way privileged user accounts behave, and it’s important to know when they happen.
- Geographical Irregularities
- Log-In Red Flags
- When it comes to database read volume, you have two options. The first is called the “Lazy Reader” where instead of reading all records in a table, they simply search for one record and then return that single result.
- HTML Response Sizes
- I got a lot of requests for the same file.
- When port applications are not matched, there can be excessive traffic to the ports. This is because when an application goes out of balance it could lead to over-utilization or under-utilization.
- When a user is alerted of registry or system file changes by their antivirus, they should immediately take action to determine the source and potential damage.
- Unusual DNS Requests
- Unexpected Patching of Systems
- Mobile Device Profile Changes
- The problem is that data can be difficult to categorize and organize, so it’s easy for companies to not know where their information is stored.
- I ran a test to see if my website was getting traffic from bots. I analyzed the data and found that there were a lot of human-like behaviors, but not enough for me to say it’s all people.
- Signs of DDoS Activity
Improve Detection and Response by Using Indicators of Compromise
Monitoring for indicators of compromise enables organizations to better detect and respond. It also means that if a company has been compromised, they can more quickly identify the security incident.
There’s a push in the IT industry to report security incidents in standardized ways. For example, some organizations are trying to use frameworks like Open IOC so they can share information more easily.
One of the most important things in fighting malware and cyberattacks is knowing what indicators compromises are. Organizations that monitor for Indicators of Compromise diligently can be a lot more secure.
Malware indicators of compromise
It's important to be able to detect indicators of compromise, which can help improve detection accuracy and speed as well as remediation times. Generally speaking, the earlier you're able to detect an attack on your business or organization, the less impact it will have on a company and how easy it is for them.
IOCs, especially for recurring attacks, can give an organization insights into how their attackers work. This way organizations will be able to incorporate these new ideas into security tools and cybersecurity policies.
Protect Your Organization from Cybersecurity Threats
SecurityStudio helps information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.