Indicators of Compromise: Definition, Types and Examples

Indicators of Compromise Definition

What are indicators of compromise? Indicators of Compromise are pieces of data that indicate the presence of malicious activity on a system or network. They can be found in logs, files, and other areas where hackers might leave their mark. The more indicators an organization tracks for IOCs, the higher likelihood it has to prevent breaches from happening before they cause damage.

Indicators of compromise are the breadcrumbs that lead infosec and IT pros to detect malicious activity early in the attack sequence. These unusual activities can be as simple as metadata elements or incredibly complex, like malicious code samples.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Indicators of Compromise vs. Indicators of Attack

Indicators of attack are similar to indicators of compromise but focus on identifying the attacker rather than what happened after they were successful.

Indicators of Compromise Examples

There are 15 key indicators of compromise that companies should look out for, according to this article by Ericka Chickowski.

  • Unusual traffic coming from outbound network connections.
  • There are anomalies in the way privileged user accounts behave, and it’s important to know when they happen.
  • Geographical Irregularities
  • Log-In Red Flags
  • When it comes to database read volume, you have two options. The first is called the “Lazy Reader” where instead of reading all records in a table, they simply search for one record and then return that single result.
  • HTML Response Sizes
  • I got a lot of requests for the same file.
  • When port applications are not matched, there can be excessive traffic to the ports. This is because when an application goes out of balance it could lead to over-utilization or under-utilization.
  • When a user is alerted of registry or system file changes by their antivirus, they should immediately take action to determine the source and potential damage.
  • Unusual DNS Requests
  • Unexpected Patching of Systems
  • Mobile Device Profile Changes
  • The problem is that data can be difficult to categorize and organize, so it’s easy for companies to not know where their information is stored.
  • I ran a test to see if my website was getting traffic from bots. I analyzed the data and found that there were a lot of human-like behaviors, but not enough for me to say it’s all people.
  • Signs of DDoS Activity

Improve Detection and Response by Using Indicators of Compromise

Monitoring for indicators of compromise enables organizations to better detect and respond. It also means that if a company has been compromised, they can more quickly identify the security incident.

There’s a push in the IT industry to report security incidents in standardized ways. For example, some organizations are trying to use frameworks like Open IOC so they can share information more easily.

One of the most important things in fighting malware and cyberattacks is knowing what indicators compromises are. Organizations that monitor for Indicators of Compromise diligently can be a lot more secure.

Malware indicators of compromise

It’s important to be able to detect indicators of compromise, which can help improve detection accuracy and speed as well as remediation times. Generally speaking, the earlier you’re able to detect an attack on your business or organization, the less impact it will have on a company and how easy it is for them.

IOCs, especially for recurring attacks, can give an organization insights into how their attackers work. This way organizations will be able to incorporate these new ideas into security tools and cybersecurity policies.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Indicators of Compromise Definition

What are indicators of compromise? Indicators of Compromise are pieces of data that indicate the presence of malicious activity on a system or network. They can be found in logs, files, and other areas where hackers might leave their mark. The more indicators an organization tracks for IOCs, the higher likelihood it has to prevent breaches from happening before they cause damage.

Indicators of compromise are the breadcrumbs that lead infosec and IT pros to detect malicious activity early in the attack sequence. These unusual activities can be as simple as metadata elements or incredibly complex, like malicious code samples.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Indicators of Compromise vs. Indicators of Attack

Indicators of attack are similar to indicators of compromise but focus on identifying the attacker rather than what happened after they were successful.

Indicators of Compromise Examples

There are 15 key indicators of compromise that companies should look out for, according to this article by Ericka Chickowski.

  • Unusual traffic coming from outbound network connections.
  • There are anomalies in the way privileged user accounts behave, and it’s important to know when they happen.
  • Geographical Irregularities
  • Log-In Red Flags
  • When it comes to database read volume, you have two options. The first is called the “Lazy Reader” where instead of reading all records in a table, they simply search for one record and then return that single result.
  • HTML Response Sizes
  • I got a lot of requests for the same file.
  • When port applications are not matched, there can be excessive traffic to the ports. This is because when an application goes out of balance it could lead to over-utilization or under-utilization.
  • When a user is alerted of registry or system file changes by their antivirus, they should immediately take action to determine the source and potential damage.
  • Unusual DNS Requests
  • Unexpected Patching of Systems
  • Mobile Device Profile Changes
  • The problem is that data can be difficult to categorize and organize, so it’s easy for companies to not know where their information is stored.
  • I ran a test to see if my website was getting traffic from bots. I analyzed the data and found that there were a lot of human-like behaviors, but not enough for me to say it’s all people.
  • Signs of DDoS Activity

Improve Detection and Response by Using Indicators of Compromise

Monitoring for indicators of compromise enables organizations to better detect and respond. It also means that if a company has been compromised, they can more quickly identify the security incident.

There’s a push in the IT industry to report security incidents in standardized ways. For example, some organizations are trying to use frameworks like Open IOC so they can share information more easily.

One of the most important things in fighting malware and cyberattacks is knowing what indicators compromises are. Organizations that monitor for Indicators of Compromise diligently can be a lot more secure.

Malware indicators of compromise

It’s important to be able to detect indicators of compromise, which can help improve detection accuracy and speed as well as remediation times. Generally speaking, the earlier you’re able to detect an attack on your business or organization, the less impact it will have on a company and how easy it is for them.

IOCs, especially for recurring attacks, can give an organization insights into how their attackers work. This way organizations will be able to incorporate these new ideas into security tools and cybersecurity policies.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

/by

What is Spear Phishing? What You Need to Know

Define Spear Phishing 

What is spear phishing? Spear phishing is a targeted attack to steal sensitive information, usually for malicious purposes. This is achieved by acquiring personal details on the victim such as their friends, hometowns, and employers. Spear phishing attack – the attackers then disguise themselves as someone trustworthy, so they can acquire sensitive information through spear phishing emails or online messaging.

spear phishing vs phishing; phishing definition 

Spear phishing is a specific type of phishing, in which the attacker disguises themselves as someone trustworthy and makes contact with their victims via email or text messages.

Unlike spear phishing, phishing attacks are not personalized to their victims and they usually send out different emails at the same time. The goal of a phishing attack is to get you to click on links in an email or download malware. Spear phishers target specific people while also personalizing messages by using information about them from public sources like social media profiles, company websites, etc.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

What is spear phishing in cyber security?

Spear-phishing attackers target victims who put personal information on the internet. They might view individual profiles while scanning a social networking site, in order to find an email address or other useful information that they use in their attacks.

Hackers often use spear phishing to gain access to confidential information. They might send people messages that ask for their passwords and account numbers.

Spear Phishing vs Vishing (and other variations)

Smishing, vishing, and spear-fishing are all variations on phishing, with each employing a different mode of communication or a different targeting strategy. Smishing employs SMS messages and texts to deceive targets, whereas vishing uses phone conversations to deceive victims. Both masquerade as respectable organizations in order to defraud their targets.

These sorts of assaults are used by hackers because they have a greater success rate than traditional techniques of hacking while requiring less knowledge to perform. As a result of these factors, the frequency of phishing, smishing, vishing, and spear-phishing assaults is growing.

How do spear phishing attacks differ from standard phishing attacks? How to avoid spear phishing attack

  • If you are looking for a way to reduce your risk of being targeted by scammers, make sure that if there is anything on social media or online profiles that may attract them, do not post it. If possible configure privacy settings so they can only see limited information about the profile.
  • Make sure your passwords are different from each other so that if one of them is compromised, it doesn’t jeopardize the security of all the accounts you have.
  • Make sure to always update your software. Security updates can help protect you from common attacks.
  • If an organization, such as your bank, sends you a link in an email and the anchor text does not match what it says is going to be at that destination or if there are any discrepancies with the URL itself then don’t click on them because they could lead you into a spear-phishing attack. Many attackers will use words like “click here for more information details about this offer” when really clicking anywhere within their emails would take users to another website.
  • When you get an email from a friend who is asking for personal information, be cautious. If it’s not one that they have previously used and the business doesn’t exist in any other way except through email contact, then delete the request.
  • Implement a data protection program at your organization: A data security plan that combines user education and implementation of a solution will help to prevent loss due to spear-phishing attacks. For midsize companies, DLP software should be installed for sensitive areas as well.

Protect Your Organization from Spear Phishing Attacks and Other Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

/by

Preventive and Protective Measures of Data Exfiltration

What is Data Exfiltration 

Exfiltration means to remove without detection. Data exfiltration is the unauthorized transfer of data from a computer or device. It can be done manually by an individual with physical access to the computer, but it’s also often automated through malicious programming over networks.

Basically, data exfiltration is a form of hacking that occurs when an individual’s or company’s data is copied, transferred, or retrieved from a computer without authorization. This can happen through various techniques, but typically happens over the internet by hackers with the intent to gain access to networks and machines to locate specific information. This is basically a data exfiltration attack.

Data exfiltration is difficult to detect as it often closely resembles normal network traffic. This makes the data hard for companies to realize what has happened until it’s too late and hackers have already gained access.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

How Do Hackers Carry Out  A Data Exfiltration Attack

A lot of systems suffer from data exfiltration due to the use of common, easy-to-crack passwords. Hackers often gain access by remote applications or installing a removable media device when they have physical access.

Advanced, persistent threats are one form of cyber attack in which the goal is usually to steal data. These attacks often target specific companies or organizations with a particular agenda, such as accessing restricted information.

In order to steal from a company, hackers use different techniques. One common technique is social engineering or phishing emails with contextually relevant content that persuade the recipient of the email to open it unwittingly and install malware on their computer. Data discovery follows this exploit where they identify desired data by looking for patterns in network traffic and installing various tools like keyloggers which capture all keyboard input.

Cybercriminals who successfully steal data may use it to damage your company’s reputation, for financial gain, or sabotage.

Data Exfiltration Prevention

When you think about data exfiltration, it usually relies on social engineering techniques and downloading an unknown or suspicious application. To prevent this from happening, companies should take proactive measures by blocking your users from downloading these apps without restricting access to applications they need. In order to get the malware onto a computer system in the first place, though, communication needs to exist with command or control servers so that instructions can be given and data extracted.

Endpoint Security Technique is an Important Part of Data Exfiltration Prevention

The easiest way for hackers to steal data is through endpoints, so it’s important that companies use endpoint detection solutions as the first line of defense against such threats.

Data exfiltration seems to be a preventable process, but the advanced attacks that happen every day in the modern threat landscape require an all-encompassing approach to data protection. The company has made sure it monitors and protects each endpoint within its network.

Indicators of Data Exfiltration

Here’s a brief checklist of indicators that your data is “leaving the building”:

  1. Internal IP addresses that are unknown or have the erroneous IP/MAC address pai
  2. Unexpectedly large data transfers from one host to another
  3. No data transfer through IPv6, which has never been utilized previously.
  4. Excessive traffic to unexpected foreign IP addresses
  5. Quick DHCP address swaps with fresh MAC addresses
  6. Creating new subnets and/or VLANs when none previously existed
  7. Email messages that are larger than usual (Hopefully, organizational message ceilings are modest and are controlled.
  8. Violations of local storage policies (multi-terabyte USB drives are trivial to obtain.)
  9. New WiFi hosts, including both APs and non-AP supplicants
  10. Excessive browser uploads or unusual port traffic on VMware hosts

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

/by

Principle of Least Privilege; Best Practice for Information Security and Compliance

,

Least Privilege Definition

Let’s start off by answering, “what is the principle of least privilege?”

The principle of least privilege is the idea that at any user, program or process should have only the minimum privileges necessary to do their job. For example, a salesperson account created for pulling records from a database doesn’t need admin rights while an employee who regularly updates old code lines needs access to financial records, and that is what is principle.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Least Privilege Access

The principle of least privilege means giving employees only the access they need to do their job. In an IT environment, it reduces risk by preventing attackers from gaining access to sensitive systems or data, least privilege example.

Least Privilege Policy

The principle of least privilege access can be applied to everything in an IT environment. It applies both to end-users and the system itself, as well as all other facets, including least privilege cybersecurity.

  • With the principle of least privilege, an employee who only needs to enter information into a database should be granted as few privileges as possible. If malware infects that employee’s computer or if heshe clicks on a link in a phishing email, it will limit the malicious attacks to making entries into that particular system and not others.
  • If a MySQL account is made to only have sorting privileges, and not the ability to delete records, then an attacker will be limited in what they can do if they exploit that form.
  • With Just in Time Least Privilege, when someone only needs to use root privileges occasionally they should work with the least amount of access possible. The user can retrieve credentials for the root account from a password vault as needed. This increases traceability and security.

Least Privilege Example Failures

Implementing the principle of least privilege will help organizations from being hacked.

  • Edward Snowden was able to leak millions of NSA files because he had admin privileges, though his highest-level task was creating database backups. The principle of least privilege has been in place since the Snowden leaks; 90% of employees no longer have higher-level access.
  • Target exposed themselves to hackers by not following the principle of least privilege. They had a very wide attack surface because they gave too many people access.
  • Malware that is limited to just one part of the system can be contained by limiting its privileges.
  • The principle of least privilege also helps system stability by limiting the effects changes can have on other parts of a computer.
  • When the system is built on least privilege, it can reduce how much of its audit. It also makes compliance easier because many regulations call for POLP implementation.

Best Practices for Least Privilege (How to Implement POLP)

  • Make sure that all accounts, processes, and programs have the permissions they need to do their jobs.
  • You should start with the least privilege possible, and only add higher-level privileges as you need them.
  • Make sure you separate admin accounts from standard ones, and also make sure to divide system functions into at least two groups.
  • Give people just enough privileges to get the job done, but don’t give them more than they need. If you do have to grant someone higher-level access on one occasion, make sure it’s revoked afterward.
  • One way to limit the damage is by having individual actions trackable. This can be done with a user ID, one-time passwords, or monitoring.
  • Make it a routine. Regularly checking for old permissions, accounts, and processes can prevent one from accumulating privileges they no longer need.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

/by

How to Predict a Cyber Security Breach at Your Organization

,

If you’re a manager in IT or Information Security, I’m sure you’ve already heard the phrase many times, “It’s not IF you’ll be breached, but WHEN.” In which case, you know that you need to do “something” to better prepare your organization for the possibility of a breach and how to respond, but how?

There are two immediate steps you and your organization can take:

1) Complete a risk assessment to identify your organization’s most vulnerable processes and

2) Prepare an Incident Response Team.

Complete a Risk Assessment

Until recently, completing a risk assessment on your organization either cost a lot of money, or required a skilled professional to complete. While there are other free tools available, in most cases the S2Org Risk Assessment is going to be the fastest and most effective way to get a complete view of your organization’s cyber security posture overall, and where your organization is the most vulnerable to a cyber security breach.

Based on the security assessment criteria used by information security consulting firm FRSecure for over 10 years, S2 Org is designed to identify the greatest risks to your organization’s information overall. The assessment allows you to quickly identify the weaknesses in your organization’s human-run processes, physical controls, and technical controls. Because S2 Org updates scores immediately based on your responses it enables you to complete a broad, high-level assessment, or to really dive deep into the controls at your organization by involving multiple people in the assessment process. A well-informed IT Director (or similar) at a small-to-mid sized organization could potentially complete the assessment in a couple hours, quickly enabling your organization to identify where you’re most vulnerable to attack, and thus most likely to experience a breach to your information.

At the completion of the assessment, your organization will receive an overall score as well as a score for each of the four phases (Administrative, Physical, Internal Technical, External Technical). S2 scoring is based on a scale of 300-850 (modeled after the credit score), with 300 being rated as Very Poor (High Risk), and 850 Excellent (Low Risk). Additionally, because of the way that S2 Org is divided into four control group phases, you can complete an assessment on any one of those groups independently and provide reporting immediately based on the results.

securitystudio current assessment

Equipped with the results of your risk assessment you’ll be able to develop a plan to address your most severe vulnerabilities to help prevent or reduce the impact of that impending breach, as well as to better equip and prepare your Incident Response Team to respond.

Prepare an Incident Response Team

While you don’t have to complete a risk assessment before you prepare your Incident Response Team, it will help you better select the appropriate people with the best skills suited to respond to the type of breach that your organization would be most impacted by.

An Incident Response Team is a group of individuals responsible for managing the organization’s response to an information security incident. An information security incident is defined as: A suspected, attempted, successful, or imminent threat of unauthorized access, use, disclosure, breach, modification, or destruction of information; interference with Information Resources or operations; or a significant violation of policy. For example, incidents may include:

  • Violation of company policy
  • Attempts to gain unauthorized access to the organization’s systems or information
  • Denial of service to the organization’s systems or services
  • Unauthorized use of company systems
  • Loss of confidential or private information

No matter the size or industry, your organization should develop at least a basic Incident Response Plan (IRP) with the appropriate people identified to respond. Lack of a good communication plan is one of the primary reasons that so many organizations fail at responding to a breach. At a minimum your plan needs to identify how customers, personnel, and other sources of information will report potential incidents to your team, and who within your organization is responsible for managing your organization’s response.

The primary goal of your Incident Response Team (IRT) is a quick and appropriate reaction to a potential or actual breach. At a minimum, your team should have an Incident Response Commander. This person takes overall responsibility for the incident response program and the IRT’s response activities. They ensure that there is a plan and that it will be effectively executed when an incident occurs.

Other IRT members may hold the following roles:

  • Privacy officer – familiar with privacy laws and requirements for the organization concerning the information it manages
  • Security officer – familiar with security obligations of the organization concerning the systems it manages
  • Legal Counsel – familiar with legal and contractual obligations of the organization
  • Public Relations manager – oversees the development of any customer or public communications
  • Financial Officer – able to make funds available for response activities
  • Technology Manager – manages the technology team engaged in response activities
  • Facilities Manager – manages facilities involved in response activities

Ideally your IRT should consist of 6-8 people, depending on the size of the organization; a small company’s IRT may consist of a few people with multiple responsibilities, where a large enterprise’s IRT may consist of key decision makers across multiple regions. Regardless of the size, a communication plan needs to be established ahead of time, and all team members need to be aware of the organization’s definition of an incident and appropriate response in order to achieve its response objectives.

Realistically, no organization can protect themselves from every possible type of threat to their information and systems. The best way to prepare your organization is to identify and address its most vulnerable processes and be prepared to react when a breach does occur.

s2core

Estimate your score or book free demo today

/by