What exactly does an Indicator of Compromise do and what does it mean…? An Indicator of Compromise( IoC) is a sign that an attack has already taken place. It is evidence that a breach has occurred. IoCs take many different forms, and knowing what to look for can help to limit the fallout of an attack.
Unlike other kinds of theft, a successful cyber attack can be hard to detect. Companies may not realize a data breach has occurred until long after the event. This could compound the consequences of a successful hack and leave you open to further exploitation.
If you’re not aware that a hacker has compromised your server or database, the damage cannot be limited. You must be able to notify users if their information is stolen, but you cannot do that if you are not certain a breach has even taken place. You also need to be able to recognize the IoCs to enable the implementation of preventative measures. If you have evidence of the attack, you can look for any weak points that might have facilitated it. You can even enact new security protocols to maintain better protection in the future.
Indicators of Compromise versus Indicators of Attack
IoCs are sometimes confused with indicators of attack (IoA), but these terms have two distinct meanings. The attack occurs before the compromise. Noticing an IoA will flag up an attack as it takes place, helping technicians to combat the assault in real-time. Finding an IoC can help you understand what has already happened.
IoAs may overlap with IoCs, of course. Noticing a surge in suspicious database requests as they come in would be an IoA, while a log of the surge after the fact is an IoC.
Examples of Indicators of Compromise
An IoC can take various forms and some are more convincing than others. They can be subtle, so ideally, you’ll be able to corroborate one IoC with others. Here are five of the clearest IoC examples you’re likely to come across after a breach.
· Suspicious Database Queries
Company databases are a favorite target for cybercriminals. They contain valuable information on customers, internal company records, and passwords. To access such databases, users send queries, so if you have logged an unusual spike in these communications, that could be an IoC. A high volume of requests occurring in a short space of time, sourced from the same device, is a clear red flag.
If the IoC suggests that a database was breached, you must carry out an audit of the data it contains.
i. Does the database house user data or customer information?
ii. Could the hacker have accessed credit card details or passwords?
The sooner you confirm the breach, the sooner you can contact users and prevent further damage.
· Distraction Tactics
Sometimes it is clear that an attack took place, but the motivation behind the attack is not immediately evident.
i. Did a seemingly pointless DDoS operation crash a particular feature on a site and cause minor disruptions?
ii. Could a more serious attack have taken place elsewhere on the server?
The attack you noticed could have been a diversion tactic. An application-layer attack is a classic example of this method. If you notice one, look elsewhere for IoCs in areas of the server or database that are likely to be more tempting targets.
· Geographical Anomalies
Attackers will often mask their real locations by routing their traffic through shell IP addresses. This makes it harder for authorities to track them, but it can also act as a useful red flag.
If your core user base is in the US, a sudden influx of traffic and requests from users in Dubai could be a strong indicator that an attack took place. It’s worth keeping track of where the majority of legitimate server traffic comes from, so you can notice any anomalies.
· Failed Login Attempts
Breaking into a network or server often involves a process of trial and error. An attacker may attempt multiple logins or requests before they access their target. To achieve this, they may use brute-forcing software that generates and stuff random passwords until it finds a match. The surge in failed login attempts can prove that someone tried to force their way into a company account. However, it won’t confirm whether or not they were successful.
· Suspicious Admin Activity
If an attacker is launching an operation against a server or website, their first port of call will often be the administrative accounts. A malicious actor can commandeer these profiles using a variety of techniques: from pretexting attacks to SQL injections. Then they can exploit these accounts to launch further intrusions.
You must monitor admin accounts and carry out regular checks for unusual activity. The sooner you detect irregular behavior on a profile, the sooner you can revoke their administrative access.
Preventing a Breach
Finding an IoC is very useful, but it is only half of the solution. You should be working to counter attacks before they occur. Here are three actionable steps to reduce the risk of compromise:
· Ensure that employees use a VPN to protect their devices. This will encrypt their browsing activity and lower the risks of an endpoint breach).
· Use remote application controls to limit any high-risk activities on company hardware, reducing the threat of a malware infection.
· Learn more about the dangers of data breaches and how you can prevent them.
· A company should regularly raise employee awareness of best practices and update security protocols. This will encourage individuals to be alert for pretexting scams or other forms of social engineering.