To confirm cyberattack occurrences and build or enhance cyber-defense strategies, threat intelligence teams use a lot of information, including Indicators of Compromise (IoCs). These IoCs are actually forensic data that are critical in:
The relevance of IoCs cannot be downplayed, but they're not all that’s needed in building an effective cybersecurity strategy. In this article, we’ll explore indicators of compromise, their types, and their relevance to threat intelligence teams.
Let’s begin!
Indicators of compromise are behaviors or data that show that a data breach, intrusion, or cyberattack has occurred. Their presence indicates a vulnerability within a system, network, or domain. The primary purpose of IoCs are to help analyze secyrity events after they occured. Post-event analysis is an important tool during threat hunting.
In in their book, Identity Attack Vectors, authors Morey Haber and Darran Rolls describe exactly what IoCs can indeintify:
Experts say three conditions can define something as an IoC:
IoCs can point you to the tools used in carrying out the attack, the different touch points the attacker or malware passed through, and the result of the intrusion.
Let's look at the three popular IoC types.
Importantly, the challenge of detecting various types of IoCs and the consequences of detecting them differ depending on the adversary. The Pyramid of Pain illustrates the difficulty and impact levels across IoC types. The concept was developed by threat expert David Bianco in 2013. Bianco explains its origins:
"This simple diagram shows the relationship between the types of indicators you might use to detect an adversary's activities and how much pain it will cause them when you are able to deny those indicators to them."
Think of the Pyramid of Pain as a framework for "the effective use of Cyber Threat Intelligence in threat detection operations, with a particular emphasis on increasing the adversaries' cost of operations."
IoCs come in several forms. Here are some of the more common IoCs known to the cybersecurity community:
Abnormal outbound network traffic. A high or unusual amount of traffic from your server could be a sign of command and control (C2) communication. This could be traffic from an internally compromised system to an external C2 communication center.
Importantly, this could indicate the presence of malware or data exfiltration — with data loss the major consequence of this IoC.
Large number of unsuccessful login attempts. Unsuccessful user logins are a daily occurrence. In certain instances, however, these failed logins indicate a malicious character using fake credentials to log into a system. The reasons could be to:
Activity from an unexpected location. Be suspicious of network activities from a region your system is not used to. Often, real hacking attempts come from unknown locations or faked/changed IP addresses.
Unexpected software update. An unexpected software update that happens without authorization from system administrators indicates a breach in a system’s security.
An attacker may implant an unusual application that, if not eliminated, will execute malicious code through a software update.
Suspicious registry changes. The Windows registry houses sensitive information like:
Constant registry modification potentially signals an attacker creating a system for executing malicious code.
HTML response sizes. You can use HTML response sizes to weigh information from a web server during online interaction. A higher-than-usual HTML response size is a red flag, since it could indicate data exfiltration or malicious code hidden within an HTML response.
Increase in database read volume. Frequent access to a database that spikes up its read volume could indicate an unauthorized attempt to access and extract sensitive data — like financial data or customer records — from a database.
Geographical irregularities. Network traffic from IPs belonging to a different country with no business relevance can be a sign of malicious activity. Similarly, a huge amount of outgoing traffic to a country where your organization has no business can indicate exfiltration.
Login attempts from a different location than the legitimate user's location can indicate that someone is trying to access the account. If you see multiple failed login attempts, then it could indicate a brute-force attack.
Unusual DNS requests. DNS requests involving malicious domains can indicate that a system has been infected with malware. High amounts of DNS queries could be a sign of data exfiltration and communication with command and control servers. Attackers can also use DNS tunneling to bypass security measures.
(Related reading: DNS security.)
In threat intelligence, IoCs are one of the two indicators that allow security administrators to know if a breach has happened or is occurring. The second indicator type, is Indicator of Attack.
Imagine a scene where you catch a rat attempting to steal cheese, or you’re drawn to a noise at your door, indicating a burglar is trying to break in. IoAs are digital versions of this behavior that you can use to checkmate a cyberattack while it’s happening or even to capture a hacker on the spot.
Although both indicators are essential, some significant differences can help you identify and classify the two. These differences are:
WIth our understanding of IoCs, let's now look at the major benefits organizations and threat intelligence teams gain when studying IoCs:
IoCs forestall future attacks. Most IoCs have a stable format for security teams to create a database of attacks and integrate the information into tools that automatically identify and eliminate malicious tools from the system in the future. There are several reports and cyber communities which regularly disseminate the IoCs found in their systems, in the interest of helping others defend against similar attacks.
A real-life example is when CISA, America’s cyber defense agency, sent an alert on the FBI’s flash report of IoCs associated with a popular ransomware attack group called RagnarLocker, to warn organizations of the group’s intended attack on cyberspace.
IoCs help build effective incident response plans. Familiarity with the mode of entry of cyberattacks and their impact can help you formulate an effective incident response plan. Your analysts won’t be left in the dark — they’ll work with tangible information they can use to anticipate or even counter cyberattacks.
IoCs support threat hunting. Since IoCs fall under threat intelligence in cybersecurity, they're a great starting point for a security audit or threat hunt — providing tangible evidence of what’s amiss and often leading to detailed information on how an attack was carried out.
IoCs enhance the overall safety of the cyberspace. Organizations sometimes make public their knowledge of past and existing IoCs. This information helps more organizations improve their cybersecurity.
Also, sometimes IoC alerts come with detailed recommendations for preventing cyberattacks, and the best incident response strategy for preventing a cyber crisis from escalating and penetrating other networks. For instance, following the cyberattack on the Chile bank regulator, they promptly shared the IoCs that were discovered in their Microsoft Exchange server. The aftermath of this was an updated Microsoft MSERT tool for prompt detection of such IoCs.
Identifying and responding to an IoC involves the following:
Look for artifacts with similar qualities to the ones highlighted in the previous section. If something feels off about the data, pause and investigate. With cyberattacks, the principle of “better safe than sorry” always applies.
Anti-virus and anti-malware tools can help detect and eliminate malicious agents identified as IoCs from your system. However, even with sophisticated tools, keep in mind that zero-day attacks can go undetected from these tools and wreak havoc. (Zero days are new attacks that are unknown to the software, hardware, and security community.) So, do not rely exclusively on these tools, you'll certainly miss important activities.
Know what's happening in the cyber world. Read and follow trends and reports on IoCs from reliable sites with public IoC information sources like:
Also, an in-house database of recognized IoCs can be integrated into your monitoring tools and security information and event management (SIEM) solution.
Employees can be of great help in identifying IoCs if trained well. Train your teams and employees to recognize and report any unusual or suspicious activity. This includes but is not limited to unexpected emails, unusual login attempts, or strange network or system behavior. Employees should have clear guidelines and should be aware of the process to follow when they identify an IoC and report to the relevant stakeholders.
This simple outlines shows how to eliminate a threat that an IoC identifies:
As always, here are best practices for any cybersecurity strategy.
Monitoring and detection: Implement tools like SIEM, XDR, IDS, IPS, and firewalls for continuous monitoring to detect threats early and allow real-time responses by security teams.
Access control: Restrict access to critical systems and sensitive data based on the principle of least privilege. Regularly review and update access controls to minimize insider threats.
Vulnerability management & patch management: Regularly assess systems for vulnerabilities and apply security patches. Automate patch checks and notify stakeholders to prioritize updates.
Backup and recovery: Regularly back up data, encrypt it, and store it in multiple locations. Test recovery procedures to ensure data can be restored in case of a breach.
Incident response plan: Develop and train stakeholders on an incident response plan. Run regular drills, update the plan after incidents, and incorporate lessons learned.
Security awareness: Provide ongoing training to employees to help them identify and report threats, and encourage good cybersecurity practices.
Cyber defense teams have much to gain from knowing how to fish out IoCs and handle the aftermath of attacks. However, they’ll need to do more to survive the intense onslaught of cyber criminals on today’s web.
IoCs don’t provide foolproof guidelines, but they hint at how we can avoid similar attacks in the future. Relying solely on massive reports about IoCs or blindly integrating safeguards into your system can potentially cause more harm than good — whether in the form of false positives, or a false sense of security.
While IoCs are incredibly important, a multi-faceted approach to security is still the best approach. Factoring in aspects of cyber intelligence IoCs and IoAs while threat hunting, keeping up with reports in the cybersecurity space, and leveraging AI and machine learning technology are all crucial aspects of forging a safer cyberspace.
See an error or have a suggestion? Please let us know by emailing ssg-blogs@splunk.com.
This posting does not necessarily represent Splunk's position, strategies or opinion.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.