Indicators of Compromise (IoCs)
In the current threat environment, rapid communication of threat information is the key to quickly detecting, responding and containing targeted attacks. Hunting for Indicators of Compromise (IoCs) is an effective way to combat advanced attackers. IoCs are forensic artifacts of an intrusion that can be identified on a host or network.
IoCs tie to observables and observables tie to measurable events or stateful properties which can represent anything from the creation of a registry key on a host (measurable event) to the presence of a mutex (stateful property). For example, after using the APT Detection Framework to optimize and check for any gaps an organization should continuously monitor and detect things like:
- Unusual Outbound Network Traffic
- Geographical or cross country activity with unusual log-ins or access patterns
- People trying to cover their tracks or obscure their presence on your systems
- Signs of ARP cache poisoning, ARP spoofing, and other man-in-the-middle attacks
- Suspicious changes in listening ports, system services and drivers, startup tasks, and scheduled tasks
- Anomalies in Privileged User Account Activity or permission changes
- Changes in local Firewall configurations and local user accounts
- Changes in DNS servers or IP routing
- Symptoms or presence of root kits
- and so on…
All of these items can provide early indications of bad actors, and help you identify and contain security incidents before they result in loss. Though not present in all incident response scenarios, IoCs are present more often than not should the security analyst have the cycles and opportunity to learn where and how to identify them. The ability for a security analyst, incident responder or threat researcher to collect, record and notate IoCs in a detailed manner is a critical success factor.
Subscribe to our blog on how to secure your digital assets and achieve more.