Think of it like a home security system. Unlock the door, punch a code, and there’s no problem, right? But when a window is forced or a lock broken, your system is designed to tell the occupants that someone is either in the house who shouldn’t be there, or on their way in.
That’s essentially what an Indicator of Compromise (IOC) is, only an IOC comes into play when there’s suspicious activity indicating a cyber security breach. It might have already taken place, or it could be a warning sign that there’s a security threat that needs to be addressed. In a perfect world, this “red flag” activity can then be pinpointed and isolated to minimize any impact. This is especially critical with a malware attack: a common cybersecurity threat involving malicious software designed to do damage, from taking down systems and programs to cracking open secure files and data.
How to identify Indicators of Compromise
Circling back to our analogy about home security, that intruder has already broken in when the security system goes off. The goal is to alert you to the problem and deter any further criminal activity.
Similarly, an IOC raises a red flag once a cybersecurity issue is already in play or has already occurred. In fact, many cybersecurity professionals refer to it as “forensic data.” It can provide clues about how a crime was committed, highlights unusual activity, exposes vulnerabilities, and helps you avoid future malware infections and attacks.
This is yet another example of why it’s crucial to have cybersecurity protection, training, and protocols in place, including a security team that is actively monitoring your network and systems for anomalies.
Examples of Common Indicators of Compromise
- Unusual network traffic patterns. Inbound traffic is certainly important, but so is outbound traffic – many malware software products leverage sophisticated techniques for exfiltrating data, so it’s equally important to watch for potential indicators in outbound network traffic and anomalies in network traffic overall.
- Multiple failed login attempts, especially on privileged accounts. Everybody forgets a password now and then, but this can still be a warning sign of a brute force attack.
- A spike in file requests, particularly involving numerous requests for the same file.
- Network traffic from geographic areas that are far outside the norm.
- Discovering compressed files in strange locations within your network, or unknown files (never touch unattended luggage, right?).
- Abnormal HTML response sizes. If an HTML response is typically small, then suddenly balloons, it can be a warning sign of an exfiltration. In other words, someone is leaving with a larger amount of data than they should be.
- Irregular DNS requests, specifically from subdomains with very long names.
- System file changes that are outside the norm.
- A sudden change in settings.
- Unusual account behaviors.
- A spike in database read can be another sign of an exfiltration. Attackers are trying to access that data, resulting in a “swelling” of activity at a certain point
It’s also critical to watch for Indicators of Attack (IOA) as an extra level of security. This is a more proactive measure, deterring cyber attacks that are actively in progress. Think of it as a three-pronged approach to protecting your networks and data: defensive security measures, monitoring for malicious activity, and mining information from IOCs that help expose weak points and prevent a future security incident.
What’s the takeaway for your business or organization?
It bears repeating: vigilance is essential at every checkpoint, including cybersecurity awareness for your team. You could have the best defenses and security professionals in the world, but if an employee engages with a phishing email the door is opened wide to malware and compromised data. Start with grassroots training and basic security protocols.
Have more questions about cibersecurity? Contact us at Teltek! We specialize in IT services and solutions, helping business and organizations implement the best systems for their specific needs.