Indicators of Compromise: What They Are and How to Identify Them

Intrusion Team
Oct 13, 2021

Cybersecurity is an essential part of every business today, but managing it has never been straightforward. The more information technology you add, the more security concerns you introduce.Organizations manage threats by controlling the processes of identifying, responding to, and recovering from security events. Various teams under the cybersecurity domain attempt to collaborate effectively to maintain security and prevent cyberattacks.

The defensive team’s responsibility is to look for any abnormality in the applications, servers, or network. Whenever a threat actor attacks a target, they often leave behind footprints and traces of their activity. The best attackers will even try to hide, delete or remove these traces before they leave your network for the last time. When a cybersecurity incident occurs, or better yet, before a security event occurs, security teams are usually looking for Indicators of Compromise (IoC).

What are Indicators of Compromise (IOC)?

An indicator of compromise acts like forensic evidence that helps determine if a potential intrusion or a data breach is occurring or has occurred in an organization at an early stage. They for sure are too many to discuss in one blog. IOCs can include physical indicators, behavioral indicators, digital indicators, and even IT performance indicators. Again, they are numerous. In today’s cybersecurity landscape, when people mention IOCs they are usually referring to suspicious IP addresses, domains and/or URLs, and MD5 or SHA256 hashes. Why just these select few? The answer is easy. They are easy to find.

Modern security software can quite often detect these IOCs. These indicators are not only capable of revealing the occurrence of an attack but can also tell you about the attacker and the tools used. For example, if your security system logs indicate several or numerous outbound connections to an IP address that open-source intelligence (OSINT) says is mostly likely suspicious, odds are you have a malicious file somewhere in your network beaconing out to a malicious command & control (C2) server. Through OSINT research you might find the MD5 hashes of such files and then scan your network for evidence of those MD5 hashes on your network. IOCs provide relevant information to measure the extent of an attack, or organizations can also use IOCs to prevent potential threats.

Security software often flags abnormal activity as an IOC, indicating that a potential threat might be active. Sadly, it is not always easy to detect these red flags as these IOCs can be as meager as metadata details (tiny bits of data about other data). The challenge here is setting up security software as to what you might consider abnormal network and system behavior. The bottom line is that every application or operating system has a log file that registers events within the system. And usually, only the craftiest attackers know how and take the time to alter these logs to disguise or hide their activity. But even changing logs leaves a trace.

These forensic artifacts are discovered in system-generated event logs or time-stamped records. They might include changes to files in the system directory, changes to any applications and the system registry, changes to user or admin accounts, odd connections to unusual domains, network logs showing large volumes of traffic moving outbound during non-business hours, etc. Now, imagine combing through the logs of thousands of IT devices on your network to find the bad apple in the orchard.

How to Identify Indicators of Compromise

Organizations should be vigilant and gather timely threat intelligence to strengthen their capability to identify prevailing and unique IOCs that could highlight a breach. It can take some resources to maintain situational awareness of multiple OSINT feeds to learn about new and emerging IOCs before hunting for them on your network. As we have shown, multiple things can be considered an IOC, but we have listed the typical warning signs that enterprises should look for. We have highlighted three well-defined categories:

1. Network-based Indicators of Compromise:

  • Domain Name and Communication Protocol: Organizations should monitor for suspicious connections between IT on their network and known malicious domains. They should block them quickly as threat actors can use them as Command-and-Control (C2) servers to deliver malware. Some security products attempt to automate this, but it is not easy as domains quite often change as well as the IP addresses that host the domains.
  • Bad IP Address (IPv4 and IPv6): Security teams should investigate odd connections to unfamiliar IP addresses. IP spoofing is no secret, and IPs could originate from servers compromised by threat actors or belonging to botnets responsible for distributed denial of service (DDoS) attacks.
  • Uniform Resource Locators (URLs): URLs are how we tell the internet where we are trying to go and what we are trying to find. They can be a powerful IoC to identify unique paths created by attackers, and they can be disguised as easily as changing one letter or character from the real or original URL.

2. E-mail-based Indicators of Compromise

  • There are several IOCs to watch for when concerned about the email attack vector. Emails coming from unknown sources (to include sender, domain, email address) can be tricky as they can look quite authentic to the unwary recipient. But once known, mail servers can be scanned for all instances of the suspicious email traffic and cleaned of it, hopefully before any employees download it to their local system.
  • Usually, a key element of an attack is the email’s content. Therefore, emails can have malicious attachments or contain code embedded in hyperlinked URLs which make them an important IOC. These attachments often have an MD5 IOC that has been reported in OSINT channels.
  • Source and Destination IP address: Email headers contains the IP address of the origin and destination of the email. Generally, attackers use a proxy while sending phishing emails connected to a compromised server. Recent reporting has even identified a phishing email as a service campaign organized and ran by a hacker group. They even so much as advertise their service on the dark web and clients can pick and choose multiple styles of emails to be sent to victims.

3. Host-based Indicators of Compromise

  • Registry Key Changes: Malware residing in systems can modify or introduce malicious registry keys to maintain persistence on systems and therefore, it is essential to observe unusual dates, times, purpose, and types of changes in registries as it can be a possible IoC.
  • File Name and File Hash: These are often listed in OSINT reporting and comprise malicious executable files and their associated hashes (MD5, SHA1, SHA256). Once known, networks should be scanned for the presence of these files as they may go undetected by anti-virus and anti-malware products until a signature is written for the file. Any detection of these files and hashes should be investigated immediately.
  • Process Name and ID: Often, unknown processes, processes with odd names or instances of the same processes running multiple time simultaneously might be seen running on systems. Or you might discover an unfamiliar application that was never present in the system before or just recently installed. This could be an indicator of compromise in that system, especially if your organization has strict rules for who can install new applications and/or how those applications are authorized on the network.

Other signs to look out for any other Indicator of compromise

  • Suspicious activities from unrelated geographic regions: Many organizations can identify routine, normal traffic from known sources. State-sponsored attacks may typically originate from unknown areas, or worse, from areas that look legitimate but are not, such as using common cloud services as launch points.
  • Multiple requests or attempts to access critical files: When attackers do not have access to accounts with higher privileges, they try various methods to exploit and find the correct vulnerability to gain access.Constant unsuccessful attempts to log on, or access a shared folder or directory, or open an application may be early signs that someone has gained unauthorized user-level access.
  • Anomalous outbound traffic: Usually, attackers use various malware to steal data and send it to their Command-and-control server in off-hours. From this, researchers could obtain suspicious IP addresses, which could be a threat to the organization.
  • Chances of DDoS Attacks: Attackers may even try to shut down systems or services by flooding them with endless requests from a botnet-controlled network. Poor network or system performance (especially DNS servers) could be a sign of compromise or attack.

The battle against cyberattacks seems never-ending in today’s world as malicious actors discover numerous approaches to compromise an organization. By monitoring the indicators of compromise, your organization can at least have a head start to manage the loss caused by a threat actor. Early detection of an attack can help prevent compromises and save your organization millions of dollars.

Timely collection of IOC in organizations can expedite identifying security incidents that go undetected by many security products. Sometimes when security teams recognize a recurring pattern of IOCs, they can easily update their security product to defend themselves against future attacks. Reliance on efficient cybersecurity strategies, techniques, and procedures with an exceptional AI-based advanced Intrusion Detection/Prevention Solution that helps establish a Zero Trust environment can significantly boost detection, response, and recovery times.

Resources that might interest you.

Get the insights cybercriminals don’t want you to know.