Skip to main content

What are Indicators of Compromise? IOC Explained

Published on:
.
13 min read
.
For German Version

Security breaches may take a variety of forms, including unexpected files on the system, odd network patterns, odd account activities, and inexplicable settings. By using the Indicators of Compromise, cybersecurity teams may spot malicious activities and security risks, such as data breaches, insider threats, and malware attacks.

Indicators of compromise, or IoCs, are indicators and proof of a data breach that is often discovered after a cyber attack. These signs may disclose if an attack has occurred, what tools were used, and who is responsible.

After discovering questionable behavior, investigators may automatically or manually collect IOCs as part of the organization's cybersecurity monitoring capabilities. Indicators of compromise are often acquired through software, such as antivirus and antimalware systems; for a better understanding, think of them as breadcrumbs left by an attacker during a cybersecurity attack. This data may be utilized to assist in mitigating an ongoing attack or resolving an existing security problem, as well as to construct "smarter" systems that can identify and quarantine questionable files in the future.

Unfortunately, IOC monitoring is reactive, which implies that if an organization discovers an indication, it is very likely that it has already been hacked. However, if the event is ongoing, the rapid identification of an IOC might assist in restricting attacks early in the attack lifecycle, hence reducing their effect on the organization.

As cyber criminals grow more competent, it has gotten increasingly difficult to identify symptoms of penetration. The most prevalent indicators of compromise, such as an md5 hash, C2 domain or hardcoded IP address, registry key, and filename, change often, making detection more difficult.

In this article, we will cover indicators of compromise, including the advantages of being able to identify compromised systems, common examples of IOCs, and the types of anomalies you should look for to identify a compromised system to safeguard your network from future attacks.

What are Indicators of Compromise in Cybersecurity?

Data that suggests a system may have been compromised by a cyber attack is referred to as indicators of compromise, or IOCs for short. After a data breach or any breakdown in security, they supply the cybersecurity teams with critical insights.

IOCs are used by computer security incident response teams (CSIRTs) for the purpose of detecting malware, improving the security of sandbox environments, and validating the efficacy of heuristic analysis. They may also be used to detect and prevent attacks, or they can be used to restrict the harm done by attacks by halting them earlier in the process.

How Do IoCs Work?

IOCs serve as flags that cybersecurity experts use to identify anomalous behavior that either is proof of an attack or has the potential to lead to an attack in the future. IOCs may be broken down into a number of subcategories. Some consist of simple components like metadata, while others have more involved components like the intricate coding of dangerous material.

When a piece of malware infects a computer, it may leave behind evidence of its activities in the form of log files and inside the operating system itself. In the event that a security breach is discovered, the indicators of compromise, often known as "forensic data", are gathered from these files by IT specialists. These hints may be utilized to establish whether or not a data breach has taken place or whether an attack has been launched against the network. The identification of indicators of compromise (IOCs) is done nearly completely by qualified information security specialists. In most cases, these individuals make use of sophisticated technology in order to scan, analyze, and single out questionable activity occurring over enormous networks.

Combining human resources with advanced technological solutions (such as AI, ML, and other forms of intelligent automation) is the most effective approach to cybersecurity because it allows for better detection of abnormal activity and increases the amount of time available for response and remediation.

It is typically beneficial for information security experts to collect many indicators of compromise (IOCs) and then check to see if there is a pattern between them that indicates the specifics of a prospective attack.

Why Your Organization Should Monitor for Indicators of Compromise?

Indicators of compromise detection are a critical component of any complete cybersecurity plan. IOCs may aid in enhancing detection precision and quickness, as well as remediation durations. The sooner a company detects an attack, the less of an effect it will have on the business and the simpler it will be to remediate.

In certain instances, companies do not track and monitor the appropriate resources. This carelessness puts them vulnerable to an adversary who, after an investigation, may evade discovery. Monitoring indications of compromise allows companies to identify and react more effectively to security breaches. Collecting and correlating IOCs in real-time enables enterprises to uncover security issues that may have gone unreported by other technologies and offers the resources required to conduct a forensic investigation of occurrences. If security teams uncover trends or recurrences of certain IOCs, they may adjust their security tools and procedures to guard against future attacks.

Indicators of compromise are essential in the fight against malware and cyberattacks. Although they are reactive in nature, businesses that constantly monitor for IOCs and stay abreast of the newest IOC findings and reports may greatly enhance their detection rates and reaction timelines.

IOCs, particularly repeated ones, offer a company insight into its attackers' approaches and methods. As a result, businesses may implement these insights into their security tools, incident response capabilities, and cybersecurity policies to avoid repeat incidents.

Real-time collection of IoC data points helps minimize reaction time during an inquiry. SIEMs are used to distinguish between noise and important information necessary for identifying an attack and its exploit pathways. In addition to shortening the duration of an investigation, documenting existing incident response processes may lower the time required to conduct one. After a compromise, these methods should be reevaluated in an effort to enhance them.

The last stage in incident response is the "lessons learned" phase. During this phase, IoCs may be used to determine whether cybersecurity safeguards were improperly designed or insufficient to deter an attacker. The more comprehensive an organization's records and audit trails are, the more successful its investigation is during incident response.

What Are the Types of IoC?

IoCs may be divided into two categories:

  • Network-based Indicators: These pertain to all aspects of the network connection. The website's URL is a dangerous sign. Domain names may sometimes be considered compromise indicators. In a possible infection scenario, all queries for a certain domain might be redirected to a malicious website. IP addresses may serve as URL substitutes. For instance, they may be included in malicious programs to download second-stage malware. Examples:

    • URL Address

    • Domain name

    • IP addresses

  • Host-based Indicators: The second significant group consists of host-based indicators, which are computer system artifacts. Windows malware utilizes specific places to run automatically, even after a machine restart. File hashes are a unique form of indication. These allow us to distinguish files depending on their contents. Examples:

    1. File Extention
    2. File Location
    3. File Name
    4. Path
    5. File Fingerprint or Hash

What is IOC and Types of IOC

Figure 1. What is IOC and Types of IOC

IoC Lifecycle

Before using IoCs, they must be identified, evaluated, shared, and deployed. When a recorded activity is found and associated with an IoC, this detection initiates a response by the defender, which may involve an investigation, possibly resulting in the discovery, evaluation, sharing, and deployment of more IoCs. This cycle is repeated until it is decided that the IoC is no longer relevant, at which point it is removed from the control space.

  1. Discovery: IoCs are often identified for the first time via human inquiry or automated analysis. They may be found in a variety of locations, including networks and endpoints. Either they must be recovered from logs tracking protocol execution, code execution, or system activities (in the case of hashes, domain names, IP addresses, and network or endpoint artifacts), or they must be discovered via analysis of attack activity or tools. In some instances, discovery may be a reactive process in which IoCs from prior or ongoing attacks are discovered based on traces left behind. Nonetheless, discovery may also be the consequence of a proactive search for probable future IoCs derived from previous occurrences (such as identifying attacker infrastructure by monitoring domain name registration patterns).

    Importantly, for an IoC to be detected, the indication must be able to be extracted from the internet protocol, tool, or technology. Identifying a specific protocol run linked with an attack is of minimal use if indications cannot be retrieved and correlated with a future related run of the same or different protocol. If the source or destination of malicious attack traffic cannot be determined, it will be impossible to detect and stop further attack traffic.

  2. Assessment: Different IoCs may be treated differently by defenders based on the IoCs' quality and the defender's demands and skills. Depending on its source, freshness, confidence level, or related danger, defenders may put varying amounts of trust in indicators of compromise. These judgments are based on contextual information retrieved at the time of discovery or supplied when the IoC was shared.

    An IoC devoid of context is of little use for network defense. In contrast, an IoC delivered with context (such as the threat actor it relates to, its role in an attack, the last time it was observed in use, its expected lifetime, or other related IoCs) enables a network defender to make an informed decision about how to use it to protect their network, such as whether to merely log it, actively monitor it, or outright block it.

  3. Sharing: Once identified and evaluated, IoCs are most useful when widely disseminated so that several people and organizations may protect themselves. IoCs may be shared individually (with the appropriate context) in an unstructured manner, or packaged with many other IoCs in a standardized format, such as Structured Threat Information Expression [STIX], for distribution via a structured feed, such as one implementing Trusted Automated Exchange of Intelligence Information [TAXII], or via a Malware Information Sharing Platform [MISP].

    While some security companies and membership-based organizations (often referred to as Information Sharing and Analysis Centres (ISACs)) provide paid intel feeds containing indicators of compromise (IoCs), numerous free IoC sources are accessible, ranging from individual security researchers to small trust groups to national governmental cyber security organizations and international Computer Emergency Response Teams (CERTs). Using the Traffic Light Protocol [TLP], sharers often specify the degree to which receivers may further distribute IOCs. This signifies that the recipient may share with anybody (TLP WHITE), share within the designated sharing community (TLP GREEN), share inside their organization (TLP AMBER), or not share with anyone outside the original unique IoC exchange (TLP RED) (TLP RED).

  4. Deployment: In order for IoCs to offer defense-in-depth, which is one of their primary strengths, and therefore be able to deal with many points of failure, they should be placed in control of monitoring networks and endpoints through solutions with sufficient privilege to act on them. Wherever IoCs exist, they must be made accessible to security controls and accompanying equipment so they may be rapidly and extensively implemented. Although IoCs may be manually evaluated after discovery or reception, there are considerable benefits to automatically ingesting, processing, evaluating, and delivering IoCs from logs or intelligence feeds to the relevant security controls.

  5. Detection: Upon detecting IoCs in monitored logs, security controls with deployed IoCs trigger a generic or particular response.

  6. Response: The response to the discovery of an IoC may vary based on variables such as the capabilities and configuration of the control in which it is deployed, the IoC's assessment, and the attributes of the log source in which it was identified. A connection to a known botnet C2 server, for instance, may signal an issue but does not always imply one, especially if the server is a compromised host performing other legal activities. Common responses include event logging, alert generation, and blocking or terminating the activity source.

  7. End of Life: Variables such as initial confidence level, fragility, and accuracy of the IoC affect the length of time an IoC is useful. In certain instances, IoCs may be 'aged' automatically based on their original features and will thus reach their end of life at a specified period. In other instances, IoCs may become invalidated owing to a change in the threat actor's TTPs (tactics, techniques, procedures) or as a consequence of a defender's remediation efforts. End of life may also result from actions unrelated to attack or defense, such as when an attacker's third-party service changes or goes down. To limit the chance of false positives, IoCs should be removed from detection at the end of their life, regardless of the reason.

IOC Lifecycle

Figure 2. IOC Lifecycle

What are Examples of Indicators of Compromise?

When a company is a target or victim of a cyberattack, the cybercriminal will leave evidence of their activities in the system and log files. The threat hunting team collects digital forensic evidence from these files and systems in order to evaluate whether or not a security threat or data breach has happened or is in progress.

Identification of IOCs is performed nearly solely by qualified information security specialists. Frequently, these professionals use sophisticated equipment to scan and analyze vast quantities of network data and to identify suspicious activities.

The most successful cybersecurity strategies combine human resources with modern technical solutions, such as AI, ML, and other kinds of intelligent automation, to better identify aberrant behavior and shorten the time required for reaction and remediation.

Enterprise companies should be able to recognize and examine certain typical IoCs. Some symptoms of compromise are summarized below:

  • Anomali on outbound network traffic: Anomalies in the patterns and amounts of network traffic are one of the most prevalent indicators of a security compromise. Although preventing network intrusions is getting more challenging. According to some experts, it may be simpler to monitor outbound traffic for possible indicators of compromise. Unusual outbound network traffic may be observed when an intruder attempts to harvest data from your network or when an infected device sends information to a command-and-control server.

  • Huge spike in database read volume: The majority of businesses save their most sensitive and personal information in the database. Consequently, their databases will always be an attractive target for attackers.

    An increase in database read volume is a strong sign that an intruder is attempting to access your data. When the hacker tries to extract the whole credit card database, a large quantity of reading volume will be generated, which will be far greater than typical for credit card table reads.

  • A series of authentication failures: Automated authentication using phished credentials is used by attackers in account takeovers. A high rate of authentication attempts may suggest that someone has stolen credentials and is searching for a network-accessible account.

  • Multiple requests for the same file at a high frequency: Hackers often make several requests for the files they are attempting to steal from their targets. If the same file is being asked several times, this might suggest that a hacker is trying out a variety of different approaches to obtaining the data in the hopes of finding one that is successful.

  • Unusual geographically-based activity: If, for instance, your whole corporate activity is situated in London, UK, you should be astonished to find a user connecting to your network from another location, particularly one with a poor reputation for international cybercrime.

    Monitoring IP addresses on the network and their origins is a straightforward method for detecting cyber threats before they may do significant harm to your firm.

  • Mismatched Port - Application Traffic: During the execution of an attack, attackers may use cryptic ports to their advantage. Applications send and receive data with a network via the usage of ports. If a port that is not typically utilized is being communicated over, this may suggest that an adversary is trying to get into the network through the program or to interfere with the application itself.

  • Suspicious changes to the Registry or Other System Files: In many cases, malicious software will contain code that will modify your registry or other system files. An indicator of possible IOC behavior is the presence of unusual changes. The creation of a baseline may make it simpler to recognize alterations that have been made by attackers.

  • DNS Request Anomalies: Command-and-control servers, often known as C&C servers, are frequently used by hackers in the process of infecting a network with malware. The command and control server issues orders that may include instructions to steal data, disrupt online services, or infect the system with malware. An indication of compromise (IOC) may be present if there are unusual queries made to the Domain Name System (DNS), in particular those that originate from a specific host.

    Additionally, the geolocation of the queries may assist information technology teams in identifying possible problems, particularly in the event that the DNS request originates from a place in which genuine users are not generally located.

  • Unexplained Activity by Privileged User Accounts: Complex cyberattacks, such as advanced persistent threats, often infect low-privileged user accounts before raising their rights and authorizations or exposing the attack vector to higher-privileged accounts.

    When security personnel see unusual activity emanating from privileged user accounts, this may indicate internal or external attacks on the organization's systems and data.

  • Numerous demands for crucial documents: Without a highly privileged account, an attacker must investigate several resources and identify the appropriate vulnerability to get access to data. When attackers discover indications that an exploit may be effective, they often use a variety of launch methods.

  • Indicators of DDoS attacks: These attacks occur when a hostile actor attempts to disable a service by flooding it with traffic and requests via a botnet, a network of remotely controlled machines.

    DDoS attacks are regularly used as smokescreens to conceal other, more damaging attacks. Slow network performance, inaccessibility of websites, firewall failure, and back-end systems operating at maximum capacity for unclear reasons are indicators of a DDoS attack.

  • Unusual configuration modifications: Changing settings on files, servers, and devices might provide an attacker with a second backdoor into the network. Changes may introduce weaknesses that malware might exploit.

  • HTML Response Sizes: If the average response size in Hypertext Markup Language (HTML) is quite tiny, but you discover a response size that is much bigger than usual, this might be an indication that data has been exfiltrated. As a consequence of the enormous amount of data being communicated to the adversary, the size of the HTML response is increased.

How to Use IOCs Effectively

IoCs provide cyber defenders with several changes as part of a contemporary defense-in-depth approach. IoCs can offer an effective, scalable, and efficient defense mechanism against attack classes from the most recent threats or particular incursion sets that have occurred in the past, regardless of the size of the organization. Here are the principles for using IOCs effectively in your network:

  • IoCs support and enable the current defense-in-depth strategy's numerous levels: IoCs are used by Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems (IPS) to detect and mitigate network-wide threats. Antivirus (AV) and Endpoint Detection and Response (EDR) systems provide IoCs to all supported client endpoints through catalogs or libraries. Security Incident and Event Management (SIEM) Platforms evaluate IoCs against aggregated logs from network, endpoint, and application sources. Obviously, IoCs do not solve all attack defense problems, but they are a crucial component of any organization's layered defense. Some forms of IoC may be implemented across all of these controllers, while others may be limited to specific levels. Moreover, IoCs pertinent to a particular kill chain may only represent activities undertaken during a certain phase, necessitating the addition of additional IoCs or methods to provide full coverage of the kill chain as part of an incursion set.

    Open source malware, for instance, may be deployed by several actors, each using their own TTPs and infrastructure. Nevertheless, if the actors utilize the same executable, the hash stays the same, and this IoC may be used in endpoint protection to prevent execution independent of the actor, infrastructure, or other TTPs. If this defense fails in a specific scenario, such as if an actor recompiles the executable binary to produce a unique hash, other defenses can prevent them from advancing further in their attack, such as by blocking known malicious domain name look-ups and preventing the malware from communicating with its C2 infrastructure.

    Alternately, another malicious actor may alter their tools and infrastructure often throughout campaigns, but their access routes may stay constant and well-known. In this instance, this access TTP may be identified and preemptively fought against, even if the future action is unknown. For instance, if their access vector frequently exploits a software vulnerability, regular and enterprise-wide patching may prevent the attack. In the event that these preventative measures fail, additional indicators of compromise identified over numerous campaigns may be able to thwart the attack at subsequent stages of the kill chain.

  • IoCs may be used even with little resources: IoCs are affordable, scalable, and simple to implement, which makes their usage especially advantageous for smaller organizations, particularly when they are exposed to substantial danger. Without access to a well-resourced, mature defensive team and the threat intelligence partnerships required to conduct resource-intensive investigations, small organizations may implement IoCs to provide a basic level of protection against known threats. One explanation for this is that IoCs do not need as much training as subjective controls, such as those based on human interpretation of reported machine learning events. In this approach, a significant element of the attractiveness of IoCs is that they may provide protection to organizations across a range of resource capacity, complexity, and maturity.

  • IoCs have a multiplier impact on offensive and defensive efforts: Individual IoCs may offer effective, scalable protection for large populations of defenders. Within a single organization, blocking a single IoC may protect thousands of users, and this blocking can be conducted across various security controls by monitoring several forms of network, endpoint, and application activities. While identifying a single IoC might be laborious, if disseminated through well-established channels, a single IoC can protect thousands of organizations and, by extension, all of their users.

    Multiple organizations might profit not just from directly receiving shared IoCs, but also from the IoCs' application in the services they use. Individual organizations may monitor, detect, and deploy IoCs quickly and efficiently in the event of an ongoing phishing attack. However, if they are disseminated rapidly through a mechanism such as a protective DNS filtering service, they may be much more successful; an email campaign may be neutralized before certain organizations' subscribers open the link or before some malicious payloads can reach out for instructions. Without further effort, third parties may be safeguarded using these methods.

  • IoCs can be simply shared: IoCs can be easily shared for two main reasons: firstly, they are textual and therefore frequently exchanged in emails, blog posts, and technical reports; and secondly, standards such as OpenIOC, MISP Core, and STIX provide well-defined formats for sharing large collections or regular sets of IoCs along with all the associated content. IoCs may be shared among systems administrators, from small to huge companies and from vast teams to single people, so that they can all build network security.

  • IoCs may give considerable time savings: Sharing IoCs can save time by preventing duplication of inquiry efforts, but implementing them automatically at scale is also effortless for many businesses. When the automated deployment of IoCs is effective, organizations and users get comprehensive protection with minimum human interaction and low effort, which is a primary objective of attack defense. The capacity to do so at scale and speed is typically essential when reacting to nimble threat actors whose incursion sets may vary frequently, as do the relevant IoCs. In contrast, safeguarding a large enterprise network without the automated deployment of IoCs might require manually updating each endpoint or network device to the same security state regularly and reliably. This necessitates expert analysts and engineers due to the intricacy of the ensuing tasks, which include discovering assets and devices, polling for logs and system information, and manually examining patch levels. When deploying IoCs on a large scale, it is still necessary to expend effort to eliminate false positives, but the cost and effort involved can be significantly less than the work involved in manually updating all endpoint and network devices, especially on legacy systems that may be particularly difficult or impossible to update.

  • IoCs enable the recognition of past attacks: A network defender may employ freshly obtained indicators of compromise (IoCs) in combination with historical data, such as DNS query logs or email attachment hashes, to seek indications of a previous intrusion. This method not only helps to establish a clear picture of prior intrusions but also enables the retroactive mitigation of any previous intrusion's impacts.

  • IoCs may be related to certain dangers: Deployment of many current security mechanisms, such as firewall filtering or EDR, entails a trade-off between protection breadth and different costs, including the danger of false positives, staff time, and pure cash expenses. Organizations may use threat modeling and information assurance to analyze and prioritize the risk posed by detected threats, as well as to choose how they will mitigate or accept each one. Contextual information that ties IoCs to specific threats or actors and is provided with the IoCs helps organizations target their defenses against particular risks, giving them the technological flexibility and capacity to choose their risk posture and defense techniques. Producing this contextual information prior to publishing IoCs may require considerable analytic work, in addition to the use of specialized tools and training. At its most basic, it may comprise recording sets of IoCs from different occurrences of the same attack campaign, for example, from several unique payloads (and hence separate file hashes) from the same source and connecting to the same C2 server. Clustering comparable TTP combinations seen throughout numerous campaigns over time is a more complex method. This may be used in conjunction with thorough malware reverse engineering and target profiling, overlayed with geopolitical and criminal context, to infer attribution to a single threat actor.

What is the Difference Between Indicators of Compromises (IoCs) and Indicators of Attack (IoAs)?

Indicators of attack are distinct from indicators of compromise because their primary emphasis is on determining the activities that are connected to an attack while it is still occurring. On the other hand, the primary focus of IOCs is to determine what occurred after an attack has already taken place. While IOAs help answer queries such as "What is occurring and why?" Indicators of compromise assist in answering the question, "What occurred?" A proactive method of detection uses both IOAs and IOCs to identify security issues or threats as nearly in real-time as feasible.

The main distinctions between indicators of compromise (IoC) and indicators of attack (IoA) are as follows:

  • IOAs are Discovered Ahead of Potential Data Breaches: The order in which they occurred in the chronology of the cyberattack is the major distinction between the two. IOAs occur prior to a data breach; hence, the security incident might be intercepted and averted if incident responses are triggered in a timely way. This is due to the fact that IOAs occur before a data breach.

  • IOAs are Dynamic, while IOCs are static: The traces left behind by cyberattacks are consistent over time. All of the components of a cyberattack, such as backdoors, connections to command and control servers (C&C), IP addresses, event logs, and hashes, stay the same and offer the critical threat information to assist security teams in defending against future attacks.

    The data provided by the IOA, on the other hand, is dynamic since the movements of cybercriminals are dynamic. A hacker has to go through a number of different stages of an attack and switch between a number of different attack strategies before a data breach may take place.

  • IOA Date is Monitored Continuously and Real-Timely: It is necessary to monitor IOA data in real-time since the data will vary as an attacker moves through the various stages of the cyberattack lifecycle.

    IOA data could indicate how a network was breached, the backdoors that were established, and the privileged credentials that were compromised. This information assists security teams in intercepting a cyberattack as it is developing, which in turn reduces the amount of time an attacker has to dwell within a system.

    The use of IOAs consequently supports a proactive approach to cybersecurity, as opposed to the usage of IOC, which is employed in reactive forensics-driven solutions.

Last updated on by Zenarmor