Indicators of Compromise Defined
Indicators of Compromise (IoCs) are the evidence that a cyber-attack has taken place. IoCs give valuable information about what has happened but can also be used to prepare for the future and prevent against similar attacks. Antimalware software and similar security technologies use known indicators of compromise, such as a virus signature, to proactively guard against evasive threats. Indicators of compromise can also be used in heuristic analysis.
How Do Indicators of Compromise Work?
When a malware attack takes place, traces of its activity can be left in system and log files. These IoCs present the activity on your network that you may not otherwise be able to see in real-time and that could suggest potentially malicious activity is taking place. If a security breach is identified, the IoC or "forensic data" is collected from these files and by IT professionals. Modern antimalware systems use known indicators of compromise to detect malware infections, data breaches and other security threat activities in their early stages so organizations can be proactive in preventing attacks and protecting data and IT systems.
Proactive Prevention You Can Trust
Examples of Indicators of Compromise
Security breaches can take many different guises; strange network patterns, unusual account behavior, unexpected or unexplained configuration changes and unknown new files on systems can all indicate a breach.
Here are some of the more common IoCs in operation today:
Unusual Outbound Network Traffic
Maybe one of the most common telltale signs of a security breach is anomalies in network traffic patterns and volumes. In addition to analyzing the traffic that comes into your network, you should also be monitoring what leaves. Changes in outbound traffic can indicate that an attack is in progress on your network. The best approach is to monitor all activity on your network - both inbound and outbound.
If you have ever received an email from your email provider warning you that your mailbox has been accessed from another country, you will understand what a geographical irregularity is and how useful these indicators of compromise can be for securing your data and personal information.
Imagine then, how valuable IoCs that monitor geographical irregularities can be for business. These irregularities in access and log-in patterns can provide useful evidence that attackers are pulling strings from another country or continent.
Anomalies with Privileged User Accounts
Being able to access an account with high privileges is like striking oil for an attacker. They will usually do this by leapfrogging onto accounts with administrative privileges or by escalating the permissions on accounts they already have access to. Changes in account activity, such as the volume of information accessed or altered or the type of system accessed are good IoCs to monitor.
A Substantial Rise in Database Read Volume
Most organizations store their most confidential and personal data in database format. For this reason, your databases will always be a prime target for attackers. A spike in database read volume is a good indicator that an attacker is attempting to infiltrate your data.