Indicators of Compromise (IOCs) are forensic data IT professionals use to detect malicious activity. It is defined as “pieces of forensic data, such as data found in system log entries or files, that identify potentially malicious activity on a system or network.” Through setting up IOCs to monitor, a firm may act quickly to prevent or mitigate cyber-attacks in early stages.
Because IOCs are red flags for early detection that has potential of leading to malicious activity, they are not easy to detect. IOCs can be simple as detecting metadata or as complex as detecting complex malicious code. Firm cyber risk analysts must be able to piece together various IOCs to catch the potential threat or even in-progress activity.
So what IOCs you can set up and detect for your firm?
Darkreading.com provides the Top 15 IOCs:
- Unusual Outbound Network Traffic
- Anomalies in Privileged User Account Activity
- Geographical Irregularities
- Log-In Red Flags
- Increases in Database Read Volume
- HTML Response Sizes
- Large Numbers of Requests for the Same File
- Mismatched Port-Application Traffic
- Suspicious Registry or System File Changes
- Unusual DNS Requests
- Unexpected Patching of Systems
- Mobile Device Profile Changes
- Bundles of Data in the Wrong Place
- Web Traffic with Unhuman Behavior
- Signs of DDoS Activity
After noting to looking out for these IOCs, here are some best practices:
- Regularly collect and correlate IOCs in real time: It allows security teams discover recurring patterns of specific IOCs.
- Log the patterns: This is useful to you and your IT community to improve threat detection.
- Update security tools and policies to protect against future attacks as well.
Note that Indicators of compromise are different from Indicators of Attack (IOAs). Indicators of compromise answer, “what happened?” while indicators of attack answer “what is happening and why?”
A proactive approach to detection uses both IOAs and IOCs to discover security incidents or threats in as close to real time as possible. In addition to the 15 IOCs above, setting up other indicators that would be unusual for your firm is the key idea for malicious activity detection sooner than later. Always understand what is normal for your firm and keep an eye out for the unusual.