An Indicator of Compromise (or, IoC for short) is any type of forensic evidence that a cyber-attack has taken place. It is the clues that security experts and software alike look for in order to establish that a system has been compromised. Research indicates that the majority of IoCs go undetected for months, if not years. Each time the clock ticks, your businesses risk sustaining further damage to its customers, reputation, and finances. How to identify indicators of compromise has become a key question in an organization’s safety and stability.
In this digital age, businesses have to get better at detecting old and new threats and taking remedial action sooner.
What are the Most Common Indicators of Compromise?
The first step in identifying an indicator of compromise is to know what to look for.
Corporate endpoints have proven to be exceedingly vulnerable and attractive targets. According to a recent Cisco report, the following attacks are the most detected:
- Fileless attacks
- Dual-use tools
- Credential dumping attacks
- RATs (Remote Access Trojans)
- Banking Trojans
Attackers are using these stealthy techniques to stay under the radar for longer periods as an APT (advanced persistent threat). This entails maintaining undetected access within a victim’s organization in order to wait for opportunities or to slowly leach information.
How to Identify Indicators of Compromise?
As most attacks include programs executed on a computer, they all leave certain traces of their presence. In the recent past, this was mostly just executable or DLL files stored on the hard drive, making it easier to detect.
Threat Hunting is an essential exercise to proactively investigate potential compromises, detect advanced threats, and improve cyber defenses. Our experts orchestrate an exhaustive and iterative process with purpose-built tools to conduct manual and semi-automated series of searches for Indicators of Compromise (IoCs) and Initial Vectors of Compromise (IVoCs).
However, obfuscating techniques have grown increasingly sophisticated. Some malware loads directly into memory, leaving no physical files behind. Others go to great lengths to package their files or scramble their code in order to avoid signature detection by antivirus software.
Still, even stealthy malware like these leaves behind traces in their run-time behavior or in their effects. This list contains some of the most common signs of an Indicator of compromise:
Unfamiliar and Suspicious Network and Filesystem Artefacts
Suspicious or unfamiliar new network and filesystem objects are the clearest IoCs. They can be spotted by physically residing in your filesystem or by monitoring running programs. The most common extensions used by malware are .exe, .dll, or .bat. However, any type of executable, library, or configuration-type file are candidates for impersonation. Common files/tasks with atypical extensions, such as svchost with a .com extension can be an indicator of compromise.
Antivirus software usually maintains a database of previously detected suspicious files to easily identify and remove malicious programs. However, with more sophisticated obfuscating techniques, new malware, and the growing prevalence of fileless attacks, it is not a foolproof detection method.
Suspicious Outbound Traffic, IPs, Domains, and URLs
To steal data or download additional packages, malware needs to connect with an external host at some point from the compromised system. Other types of attacks such as DDoS or man-in-the-middle attacks are perpetrated over a network. Looking for any type of abnormal behavior, such as out-of-the-ordinary connection or data transfer volumes, can help identify trouble.
Hexadecimal IPs (e.g., http://80D00297) instead of typical domains with the format “domain.com” might be another clue. Packages should also be scrutinized to try and detect IP spoofing by using a strong firewall or other verification strategies. Plenty of IP reputation platforms and suspicious IP directories exist that can be cross-referenced to determine the trustworthiness of specific IPs.
Suspicious Mutex Objects
Typically, mutex objects are used by legitimate programs to avoid race conditions and ensure mutually exclusive access to a single resource by multiple threads. Malware often utilizes mutex objects to establish communication between separate components and to avoid infecting a system more than once. Some known malware generates standard mutex objects, allowing them to be detected easily by software or investigators.
There are hundreds of millions of malicious threats in the world, and hundreds of millions more are created every year. We just covered the tip of the iceberg with this list of the indicators of compromise that occur most frequently.
By analyzing your threat landscape, you can maintain a list of indicators of compromise of particular importance to your organization.
Some of these IoCs can be detected on an individual basis by all company stakeholders. That is why cybersecurity education should be an organization-wide investment in your employees. From there, having an IR solution on hand is the best way to act on successful infections and take remedial action.