adam's notes

Indicators of Compromise (IoCs)

An indicator of compromise (IoC) a residual sign that an asset or network has been attacked or is currently under attack.

  • used to identify, investigate, and mitigate threats
  • is evidence of a TTP
  • e.g.,
  • targets and vectors of attacks are documented and published
    • MITRE ATT&CK database is one
  • IoC can be definite and objectively identifiable
    • but often is only described via the correlation of many data points
      • so can be slow to diagnose
  • use AI to perform automated analysis
  • needs to be validated
  • IoCs are provided to organizations through intelligence reports and electronic data feeds
    • used to update security tools
      • Web Application Firewalls (WAF)
      • EDRs
      • Web proxies
      • IDS
      • SIEM

Info

Strictly speaking, an IoC is evidence of an attack that was successful.

The term indicator of attack (IoA) is sometimes also used for evidence of an intrusion attempt in progress.

Examples of Common IoCs

  • connections to a C&C network
  • disabled system recovery/backup features
  • script remnants to execute ransomeware
  • files made inaccessible through encryption
  • blackmail demand notices
  • logins occurring from unexpected geographic locations
  • suspicious privileged user account behavior
    • A user account with elevated access to a system and that is granted additional permissions that other user accounts do not have
  • Atypical or unusual inbound and/or outbound network traffic
  • Any account activity representing access or actions which should not be possible using the identified account
  • A high volume of invalid password entries
  • Unexpected increases in traffic volumes, especially database or DNS traffic
  • High volumes of requests to access a single file
  • Suspicious changes to the Windows registry or any unusual change to system files
  • Atypical requests to DNS or strange domain name resolution requests
  • Any unauthorized changes to system settings and/or mobile device profiles
  • Large quantities of compressed files stored in unexpected locations
  • Traffic originating from countries where the organization does not operate or have any business dealings
  • Any strange or unknown applications running on a system
  • Any unknown or suspicious scheduled tasks
  • Strange or unknown processes running on a system
  • Strange or unknown services installed on a system
  • Alerts from IDS/IPS, firewalls, endpoint protection, or any other security tools
  • Any unexpected instances of encrypted files
  • Any activity on a system that indicates remote access/control that is not expected

Role of Digital Forensics

  • IoCs can be identified by digital forensics
    • analyze digital artifacts left on a compromised system or network
  • include log files, memory dumps, network traffic, and file system information
  • once an IoC is identified, it is used to generate threat intelligence data to detect and prevent future attacks
    • can be added to an IDS or SIEM
  • digital forensics can reveal specific details or misconfigurations that lead to a breach

Graph View

Backlinks