Indicators of Compromise (IoC) are pieces of data that suggest a possible breach has taken place. IoCs will vary depending on the system and the type of data being examined for IoCs. What looks like an IoC in one system may be a legitimate transaction in another. Firewalls and anti-malware can be configured to look for some IoCs. Network and file logs can capture other types of IoCs.
The DarkReading site lists 15 IoCs. Other sources may have a different list of IoCs because they will vary depending on the application and data of the system. Here I listed the first 5 IoCs listed by DarkReading. I’ve given a brief note to go along with each IoC.
1. Unusual Outbound Network Traffic This is usually found in the network traffic log. This may be a clue to theft of data.
2. Anomalies In Privileged User Account Activity Someone is attempting to gain more access (a higher level of privilege) than they actually need.
3. Geographical Irregularities Activity from a geographic location that is not typical may hint that an attack is originating from that location.
4. Other Log-In Red Flags For example, there are certain devices I never use to log into my work related accounts. If a log records that my account was accessed from a type of device I do not use, that suggests someone else was attempting to access my account.
5. Swells In Database Read Volume System administrators keep baselines of what the typical activity on a system is. If there is an unexplained spike in the reading of database tables, this suggests that someone is attempting to access the data.
It should be noted that IoCs are evidence, not the whole story. Further analysis is necessary to determine if an attack is occurring or has occurred.
For more information, go to: https://www.techtarget.com/searchsecurity/definition/Indicators-of-Compromise-IOC
Comments