What are Indicators of Compromise (IOCs?)

Every action that a user, asset, or application makes on your network leaves a trace of some kind. Security practitioners use digital forensics to piece together evidence and understand how threat actors work. Each individual piece of evidence connected to a particular security incident is called an indicator of compromise.

During the course of an investigation, security personnel may find patterns in the evidence of suspicious activity they uncover. If these patterns match closely with the tactics, techniques, and procedures of a known threat actor, it’s likely that the same actor is responsible for the attack.

That also means it’s likely that whatever response and mitigation strategies worked against that threat in the past may still work now. Having fast, reliable access to up-to-date IOC data can shave significant time off of an organization’s overall response time and help computer security incident response teams (CSIRTs) improve security event outcomes.

How do security teams use IOCs?

By the time a security practitioner detects an IOC, a security breach has probably already occurred. Security analysts use IOCs to quickly detect and investigate unusual activities and contain attacks before they have a chance to spread.

This limits the potential impact to the organization, and provides security team members with valuable context into what kind of attack they may be facing.

Indicators of compromise typically point to specific types of security incidents. Some are so specific they can even reveal the identity of the threat actor behind the attack itself.

The most common IOCs — like md5 hash processing, C&C domain connections, and hard coded IP addresses — have technical details that are constantly changing. This makes it harder to reliably detect them over time, putting pressure on threat intelligence providers to constantly update their feeds with new information.

Common indicators of compromise include:

• Unusual outbound network traffic. Outbound traffic patterns may indicate the presence of malware or other threats on your network. If a threat actor successfully compromises a network asset, it may try to connect to unusual external resources controlled by the attacker.
• Unusual privileged user account activity. If attackers compromise privileged user accounts, they will probably try to use them to access sensitive assets. This may require escalating privileges, which could be an indicator of compromise.
• Irregular location metadata. Incoming login attempts from territories where your organization does not do business may indicate a security risk. Another example would be multiple login attempts made from many different regions in a short period of time, suggesting the use of VPNs or a distributed denial of service (DDoS) attack.
• Abnormal increases in database read volume. If attackers attempt to exfiltrate data from network assets, you may see a spike in read volume associated with those assets.
• Unsuccessful login attempts. Legitimate users may unsuccessfully attempt to login a few times. If a user makes too many unsuccessful attempts or tries to log into accounts that don’t exist, it suggests threat actor activity.
• Large volumes of requests for a single asset. Hackers may try to access the same files over and over again. They may be testing your organization’s access control policies from several different angles, hoping to find one that grants them easy, repeatable access to large volumes of data.
• Obscure port usage. Applications use ports to transfer data with the network. Threat actors often try to exploit ports that don’t correspond to routine network traffic. The usage of unusual ports may indicate that a threat actor is trying to gain access to the network through an application, or attacking the application itself.
• Suspicious changes to registry or system files. Malware can make wide-ranging changes to registry and system files. If you see unusual changes made to these files, it may indicate that an attacker has compromised your network.
• Unusual DNS requests. Before threat actors can use command-and-control (C&C) servers to steal data, disrupt web services, or distribute malware, they must trick a network asset into making a DNS request to the C&C server.

This is not a comprehensive list. Every individual threat comes with its own unique indicators of compromise, and they can change when threat actors change their tactics. Dedicated threat intelligence feeds can help you keep track of IOCs connected to your organization’s unique security risk profile.

How threat hunting teams identify indicators of compromise

When a threat actor targets your organization, they will leave traces of their activity throughout your network and log files. Your threat hunting team will collect and analyze this forensic data and compare it to a database of known IOCs.

If the activity matches a known IOC, the threat hunting team can immediately furnish that information to the rest of the security team. If not, threat hunters will need to scan and analyze the data to find out if it represents a new, previously unreported threat.

This is a job for highly trained information security professionals with a highly specialized skill set. Proactive threat hunters leverage sophisticated technology to analyze enormous volumes of network traffic and isolate unusual activity.

The most advanced threat hunting professionals add emerging technologies like artificial intelligence and machine learning and create highly automated workflows. This expands their capabilities so they can meet the needs of large organizations with complex attack surfaces, and improves the accuracy of the results they obtain.

Why monitoring for indicators of compromise is important

Many managed security vendors offer proactive threat hunting as a service. This allows the organization’s security team to reliably detect attacks with known indicators of compromise early on in the attack cycle.

When security teams have highly effective threat hunting processes in place, they gain the ability to improve detection accuracy and speed overall. This leads to faster remediation times and lowers the overall risk associated with security incidents.

Being able to catch unauthorized activity early on is vital to preventing catastrophic losses due to unexpected security incidents. Organizations that invest in proactive threat hunting can detect and respond to indicators of compromise earlier than those that wait for threat actor activities to trigger an alert.

Additionally, IOC data gives analysts insight into the latest tactics, techniques, and procedures threat actors use to compromise their targets’ systems. When properly analyzed, this kind of data can provide valuable guidance for future security investments, incident response capabilities, and cybersecurity policies.

What about Indicators of Attack (IOAs)?

IOAs are similar to IOCs, and the terms are sometimes used interchangeably. However, the two concepts are distinct. IOAs provide evidence of in-progress cyberattacks and actively explore threat actor identities and motivations.

By contrast, IOCs help security teams understand what events took place during a security incident. This information can provide context into active attacks and even reveal the attacker’s identity, but IOCs are not designed specifically for this purpose.

In general, IOAs are used during an active attack while it is happening, while IOCs examine what happened after the attack has already occurred.

How MDR vendors use IOC data to improve operational security

IOCs help security teams remediate data breaches and provide context into potential future attacks. They can also inform security policies in a few valuable ways:

• Contextualizing prioritization. IOCs provide analysts with valuable context they can use to gain a clear picture of attacker behavior. They can use this data to improve the prioritization of future security events, identifying high-risk, high-impact activities to focus on first.
• Addressing fatigue with automation. Highly automated security operations centers (SOCs) can leverage IOCs to create automated detection and response playbooks that launch the moment unusual activity is detected. This frees up individual analysts to focus on higher-impact strategic work.
• Customized alerts and monitoring. Understanding the way IOCs look in your particular organization’s tech stack can help your security team build highly specific and deeply customized detection rules for identifying future attacks.