Many times when a cyber breach occurs, organizations do not have any evidence. Similar to a Crime that occurs in the real physical world, the investigators look for various hints left by the criminal / hacker to identify the intrusion and the details associated with it, considering the criminal/ hacker would have left behind indicators to identify the theft. Thus, Indicators of compromise, as by their name show the intrusion in the system with a very high confidence, thus claiming the proof of Intrusion.
However the root cause of an attack lies in the inadequate collection of data and network security by the organizations before the occurrence of breach or insufficient searching of information after the breach. Many times the evidence may be present but due to lack of knowledge or expertise it goes overlooked. With good research and expertise even the smallest fragment of data can unveil the source with intrusion.
The valuable data provided by Indicators of Compromise can also be used to prepare for the future and prevent against similar attacks by preparing analysis reports by experts. Famous indicators of compromise, such as a virus signature, are used by anti malware software and other security technologies to proactively guard against evasive threats.
Working methodology of IoC
Post a security attack occurrence, traces of activity can be found in system and log files. Thus, the Indicator of Compromise can be used to create a report which has detailed activities performed on a network that may not otherwise be available for the experts in real-time and that is capable of suggesting potential malicious activities. If a security breach is identified, the IoC or “forensic data” is collected from these reports by IT professionals.
Using renowned indicators of compromise to detect malware infections, data breaches and other security threat activities in their early stage, is an activity performed by Modern antimalware systems, so that the organizations can be proactive in preventing attacks and protecting data and IT systems.
Types of Indicators of Compromise
The indicators of compromise are usually considered as forensic artifacts of security world, which can be categorized into three basic categories:
- Atomic IoC
These are elements or fragments of data that cannot be broken down any further. Thus Atomic Indicators of compromise could be a Hostname, IP address, Email address, process name or a file name or a text string like a SSN, credit card number etc. Thus this Forensic detail is some sort of information that was a part of intrusion in the breach.
- Computed IoC
These are fragments of data computed in a specific fashion to attack the system or perform the breach. This category of IoC can be as MD5 Hash of malware, Statistics regular expressions.
- Behavioral IoC
These are basically a combination of Atomic and computed IoC’s. These Indicators can consist of multiple atomic or behavioral IoC’s that were used as a part of intrusion, which actually signifies a kind of signature of an attack.
At an organizational level, Indicators of Compromise can be monitored at different levels, few of which have been described by an IT expert, Ericka Chickowski in a report.
- Unusual Outbound Network Traffic
- Anomalies in Privileged User Account Activity
- Geographical Irregularities
- Log-In Red Flags
- Increases in Database Read Volume
- HTML Response Sizes
- Large Numbers of Requests for the Same File
- Mismatched Port-Application Traffic
- Suspicious Registry or System File Changes
- Unusual DNS Requests
- Unexpected Patching of Systems
- Mobile Device Profile Changes
- Bundles of Data in the Wrong Place
- Web Traffic with Inhuman Behavior
- Signs of DDoS Activity
Benefits via IoC
IoCs are crucial for sharing threat information and can help organizations if their security has been breached by any incident. This not only gives an insight to the organization security but also helps other organizations get detailed analysis of how the attacks can occur and inform them about their vulnerabilities. Thus, It is suggested to share IoCs with peers if there has been a security breach in your presence.