IoCs: Indicators of Compromise Explained

IoCs are forensic data threat intelligence teams use to confirm cyberattack occurrences and build cyber-defense strategies. IoCs are critical in identifying system vulnerabilities, and determining how a cyber-crime was executed.

While the relevance of IoCs cannot be downplayed in the cyber security space, they are not all that’s needed in building an effective cyber-defense strategy.

In this article, we’ll explore indicators of compromise, their types, and their relevance to threat intelligence teams.

Let’s begin!

What are Indicators of Compromise (IoCs)?

Indicators of compromise are behaviors or data which show that a data breach, intrusion, or cyberattack has occurred. Their presence indicates a vulnerability within a system, network, or domain, making their primary purpose post-event analysis — an important tool during threat hunting. 

Furthering this explanation, authors Morey Haber and Darran Rolls outline in their book, Identity Attack Vectors, that an IoC identifies:

• When something is amiss in an environment
• What evidence supports the anomaly
• The root cause of the breach

For something to be considered an IoC, experts have narrowed down the three conditions an indicator must satisfy:

• Observable: it must display signs that a malicious event has transpired.
• Context: an artifact must fit the specific context in which the attack happened. For example, if a phishing campaign occurs, the IoCs should be things like suspicious URLs or suspicious email attachments — both common mediums for executing such attacks.
• Metadata: there must be additional information that helps security teams make sense of the IoC. This can include the indicator source, data, time of occurrence, and related artifacts linked to the attack.

IoCs can point you to the tools used in carrying out the attack, the different touch points the attacker or malware passed through, and the result of the intrusion. 

In threat intelligence, IoCs are one of the two indicators that allow security administrators to know if a breach has happened or is occurring. The second indicator type, the Indicator of Attack (IoA), is just as relevant as an IoC.

Let’s briefly look at what an IoA is. 

What are IoAs?

Indicators of attack are behaviors or patterns used to identify a cyberattack in progress. An IoA identifies the intent and the techniques used in carrying out malicious activity on a system or network. So, the state of the attack is the most significant difference between the two concepts. If the attack is still ongoing at discovery, it’s an IoA. 

Where IoAs reveal a potential attack in progress, IoCs are used for a more thorough post-attack investigation.

Imagine a scene where you catch a rat attempting to steal cheese, or you’re drawn to a noise at your door, indicating a burglar is trying to break in. IoAs are digital versions of this behavior that can be used to checkmate a cyberattack while it’s happening, or even to capture a hacker on the spot.

IoCs Vs. IoAs: how are they different?

Although both indicators are essential, some significant differences can help you identify and classify the two. These differences are:

Time-based indicators

IoAs provide timely information for handling cyberattacks and data breaches. Identifying an IoA often means you can still salvage a  situation before it escalates.

IoCs don’t work this way. They are more like CCTV recordings of a crime after the criminals leave. They hint at what’s responsible for the attack and how it occurred. 

Proactive vs. reactive

IoAs empower you with just enough information to shut down an attack before the situation worsens. This also means there’s less mess to clean up and fewer financial losses in the event of a cyberattack.

On the other hand, the post-event analysis nature of IoCs only allows you to respond to a crime after it has been carried out.

Nature of data

IoAs are not described as forensic information but are instead patterns and techniques that hint at an ongoing event. This means they are unpredictable and can change based on the intent of the malware or the goals of the attacker.

IoCs are usually confirmed data and have a format that can be classified and compared to past information. They are considered static and easier to work with.

Types of IoCs

The three popular IoCs types include:

• Network-based IoCs are detected by analyzing a network’s connectivity or traffic. Across the different components of a network, we can find malicious data attached that constitute IoCs. Network-based IoCs could be malicious domain names or suspicious IP addresses.
• File-based IoCs are attached to files found within a host system. They could be hash files, file names or file paths.
• Behavioral IoCs are found by observing patterns within a system or network that indicate malicious activity. Behaviors like unusually high traffic to a site and repeated failed login attempts could be flagged as an IoC. 

Examples of IoCs

IoCs come in several forms, here are some of the more common IoCs known to the cybersecurity community:

Strange outbound network traffic

A high or unusual amount of traffic from your server could be a sign of command and control (C2).  communication This could be traffic from an internally compromised system to an external C2 communication center. It could also indicate the presence of malware or data exfiltration — the major consequence of this IoC being data loss.

Large number of unsuccessful login attempts: 

Unsuccessful user logins are a regular occurrence for users. But in other instances, it indicates a malicious character is using fake credentials to log into a system. This could be for account takeover (fraudsters adopt this approach on their victims) or to compromise a system in general.

Activity from an unexpected location

Be suspicious of network activities from a region your system is not used to. Sometimes, hackers work from unknown locations or change their IP addresses to get easier access to a system or avoid being caught.

Unexpected software update

An unexpected software update that happens without authorization from system administrators indicates a breach in a system’s security. An attacker may implant an unusual application that, if not eliminated, will execute malicious code through a software update.

Suspicious registry changes

The Windows registry houses sensitive information like configuration settings and options for an operating system and applications. Constant registry modification potentially signals an attacker creating a system for executing malicious code.

HTML response sizes

HTML response sizes are used to weigh information from a web server during online interaction. A higher-than-usual HTML response size is tagged as a red flag since it could indicate data exfiltration or malicious code hidden within an HTML response.

Increase in database read volume 

Frequent access to a database that spikes up its read volume could indicate an unauthorized attempt to access and extract sensitive data like financial data or customer records from a database.   

Importance of IoCs in threat intelligence

Here are some major benefits of studying IoCs that threat intelligence teams experience:

Forestalling future attacks

Most IoCs have a stable format for security teams to create a database of attacks and integrate the information into tools that automatically identify and eliminate malicious tools from the system in the future. There are several reports and cyber communities which regularly disseminate the IoCs found in their systems, in the interest of helping others defend against similar attacks.

A real-life example is when CISA, America’s cyber defense agency, sent an alert on the FBI’s flash report of IoCs associated with a popular ransomware attack group called RagnarLocker, to warn organizations of the group’s intended attack on cyberspace.

Designing an effective incident response plan

Familiarity with the mode of entry of cyberattacks and their impact can help you formulate an effective incident response plan. Your analysts won’t be left in the dark — they’ll work with tangible information they can use to anticipate, or even counter cyberattacks.

Carrying out threat hunting

Since IoCs fall under threat intelligence in cybersecurity, they are a great starting point for a security audit or threat hunt — providing tangible evidence of what’s amiss and often leading to detailed information on how an attack was carried out.

Enhancing the overall safety of the cyberspace

As organizations make knowledge of past and existing IoCs in their database available to the public, this information helps organizations stay safe and improve their cybersecurity. Also, sometimes IoC alerts come with detailed recommendations for preventing cyberattacks, and the best incident response strategy for preventing a cyber crisis from escalating and penetrating other networks. 

For instance, following the cyberattack on the Chile bank regulator, they promptly shared the IoCs that were discovered in their Microsoft Exchange server. The aftermath of this was an updated Microsoft MSERT tool for prompt detection of such IoCs. 

How to identify and handle IoCs

Identifying and responding to an IoC involves the following:

Flagging and investigating artifacts with suspicious qualities

Look for artifacts with similar qualities to the ones highlighted in the previous section. If something feels off about the data, pause and investigate. With cyberattacks, the principle of “better safe than sorry” always applies.

Install tools for automatic checks

Anti-virus and anti-malware tools can help detect and eliminate malicious agents identified as IoCs from your system. However, even with sophisticated tools, keep in mind that zero-day attacks (new attacks that are unknown to the software, hardware, and security community) can go undetected from these tools and wreak havoc. So, these tools should not be relied on exclusively.

Keep up with trends and reports: 

Keep up with trends and reports on IoCs from reliable sites with public IoC information sources like:

• VirusTotal
• Onyphe
• Any.run’s malware trends tracker site
• Malware information sharing platform (MISP)
• AlienVault OTX
• BlackBerry Threat Research & Intelligence Team Public Git

Also, an in-house database of recognized IoCs can be integrated into your monitoring tools and SIEM. 

Cyberdefense goes beyond IoC detection and management.

Cyber defense teams have much to gain from knowing how to fish out IoCs and handle the aftermath of attacks. Though, they’ll need to do more to survive the intense onslaught of cyber criminals on today’s web.

IoCs don’t provide foolproof guidelines, but hints at how we can avoid similar attacks in the future. Relying solely on massive reports about IoCs, or blindly integrating safeguards into your system can potentially cause more harm than good — whether in the form of false-positives, or a false sense of security.

While IoCs are incredibly important, a multi-faceted approach to security is still the best approach. Factoring in aspects of cyber intelligence IoCs and IoAs while threat-hunting, keeping up with reports in the cyber security space, and leveraging AI and Machine learning technology are all crucial aspects of forging a safer cyberspace.