On a sunny summer vacation day, your childhood self is running around a playground looking everywhere for a small piece of paper as part of a treasure hunt. Each clue you find leads to another, then another, until you finally locate the hidden treasure. Investigating a security incident is similar to this process, but instead of clues written on paper, your clues are digital artifacts that attackers left in your systems.
These digital artifacts are called indicators of compromise (IoCs). Like every good mystery novel reminds you, every criminal makes a mistake, leaving behind clue. IoCs can be anything from unusual login to unauthorized file changes, the tiny changes to your complex systems that they hope will go unnoticed.
For security teams, knowing the most common indicators of compromise can improve key threat detection and response (TDIR) metrics, like mean time to investigate (MTTI) and mean time to contain (MTTC).
What are indicators of compromise (IOCs)?
Indicators of Compromise (IoCs) are the clues that threat actors leave behind after gaining unauthorized access to systems, networks, and devices. Security teams can search their environments for these clues to confirm a security incident or data breach. By monitoring IoCs in real-time, security teams proactively mitigate risk.
IoCs fall into the following four categories:
- Network-based: unusual traffic patterns that indicate potential phishing, malware, unauthorized access, or other sophisticated attacks with symptoms like suspicious IP address or malicious domain names
- Host-based: activities on individual systems or endpoints, like unexpected changes in system settings, processes, or permissions
- Email-based: signs of phishing or malware in suspicious emails, including malicious attachments, strange email addresses, spoofed sender information, spikes in spam, odd messages from known contacts, or unusual email patterns
- Behavioral: suspicious user behavior that can indicate an account takeover, like odd login actions or unusual network traffic.
- Third-party: threat intelligence that provides insight into new and evolving threats, often providing ana application programming interface (API) so security teams can incorporate the data into their security information and event management (SIEM) solution
17 Common Indicators of Compromise
By detecting unusual system behavior as quickly as possible, you can reduce an incident’s severity and potential impact. By looking for these common IoCs, you can take a more proactive approach to security.
1. Network traffic anomalies
Network traffic anomalies can indicate potential data theft or connection to a threat actor’s command and control (C2) infrastructure. For example, a sudden spike in data transfers can indicate attackers exfiltrating sensitive information.
2. Unusual sign-in attempts
As part of monitoring user access, you should look for unusual sign-in attempts that can indicate an account takeover attack or credential stuffing attack. Some examples of this behavior include login attempts from unexpected geographic locations or multiple failed logins in a short timeframe.
3. Geographical anomalies
Most organizations know where their employees work or know their travel patterns. Any geographical anomaly, like user access or server communications, can indicate a potential incident. Additionally, some geographic regions are known to be a haven for cybercriminals, so you may want to focus monitoring for those areas.
4. Privilege account irregularities
Privileged accounts, both human and machine, have more access to sensitive data, resources, and assets than standard accounts. Attackers target these accounts so they can gain unauthorized access to sensitive information or move laterally across networks.
5. Changes to systems configurations
To weaken defenses or evade detection, attackers often make unapproved changes to system configurations. For example, these new changes may indicate that malware introduced a backdoor so attackers can maintain their presence in systems and achieve objectives.
6. Unexpected software installations or updates
Typically, IT departments define the approved software that users can install. When people install unauthorized software, they may be adding malicious applications to devices. When users are unaware of unauthorized downloads, it might be a malware infection that attackers can use to gain unauthorized access or to deploy additional malware, like ransomware.
7. Numerous requests for the same file
As organizations moved to the cloud, they implemented access controls around resource and file access. Multiple requests for access to the same file can indicate that attackers are attempting to gain initial access or are using unauthorized access to explore networks and systems.
8. Unusual Domain Name Systems (DNS) requests
Unusual and high volumes of DNS queries can indicate a malware infection and attackers trying to download data, especially when the requests come from unexpected geographic locations. These indicators are most common when attackers install malware on a server and create a connection to their C2 infrastructure.
9. Swells in database read volume
Increased database read volume can indicate that attackers are exploring your systems to find sensitive data. Before attackers steal sensitive information, they have to explore databases to find it. When attackers attempt to steal this information, their activities will generate a higher read volume than normal.
10. HTML response sizes
Web applications often have larger HTML response sizes when attackers are trying to deploy an attack against them. For example, in a SQL injection attack, the database connected to the application will try to send more data than usual, increasing the HTML response size.
11. Mismatched port-application traffic
Applications typically define the accepted ports for transmitting data. For example, ports 0 though 1023 are often used by common, widely used services, like system processes, operating systems, and default applications. If an application is using an usual port, an attacker may be trying to evade detection.
12. Suspicious registry or system file changes
After gaining an initial foothold, attackers often make changes to registries and system files to establish and maintain persistence. For example, attackers often install additional malware and tools once they have unauthorized system access.
13. Influx of spam emails
A sudden increase in spam emails can be related to an attack in two different ways. Attackers may compromise an email account and use it to send emails to other employees. Additionally, spam emails are often part of phishing attacks, so a sudden influx of these messages may indicate that attackers are targeting the organization.
14. Moved or aggregated data
When attackers are preparing to exfiltrate data, they often try to create a collection point to evade detection. With data transferring quickly from one or two locations, security teams may not detect the issues until the attackers complete the process. For example, attackers may try to move files to a recycle bin’s root folders where no one would think to look.
15. Non-human website traffic
Threat actors often use bots to deploy attacks, like brute force or Distributed Denial of Service (DDoS) attacks. Some indicators of non-human website traffic include:
- Abnormally high pageviews and bounce rates
- Anomalous session durations
- Traffic spikes from unexpected locations
16. Changes to mobile devices
Attackers increasingly target mobile devices because employees often use them for work. For example, a smartphone that starts running slowly might have a mobile malware on it. If your organization provides and manages mobile devices, looking for configuration changes and new profiles can help identify a potential attack.
17. System outages or reduced performance
When attackers deploy a DDoS attack, they send high volumes of requests to servers. Clogged with so many requests, the servers are unable to respond, disrupting services. In some cases, threat actors use a DDoS attack to distract security teams so they won’t detect a different attack, like a ransomware deployment.
Graylog Security: Cut Through the Noise with Contextual Risk Scoring
While IoCs provide valuable insight into activities happening across your environment, they often lack context which can lead to false positives. For example, an offline network device could be causing network latency or a system outage, not a DDoS attack. Without context, security teams find themselves investigating alerts that may be unrelated to a security incident or data breach.
Graylog Security’s contextual risk scoring, powered by Detection Chains, amplifies real threat and suppresses the rest. By leveraging threat intelligence and our risk scoring, you can prioritize responded based on asset criticality and connect the dots between alerts to reduce alert fatigue.
To see how Graylog Security gives you the SIEM that never asks you to compromise, contact us today.
