Indicators of compromise (IOCs): What are they and how do they work?

Successful cyberattacks can be hard to detect, essentially giving criminals an all-access pass to your network and leaving you open to further exploitation. In other words, if you’re unaware that a hacker has compromised your server or database, you can’t limit the damage. You must be able to notify users if their information is stolen, but you can’t do that if you’re not certain a breach has even taken place.

You also need to be able to recognize the IOCs to allow for the implementation of preventative measures. If you have evidence of the attack, you can look for any weak points that might have facilitated it. You can even enact new security protocols to maintain better protection in the future.

Indicators of compromise are a key part of cyber threat monitoring, helping companies stay safe. To find the IOC, you’ll need an all-round cybersecurity system starting with regular system checks and real-time monitoring. To know exactly what you should be looking for, you can use threat intelligence feeds — they’ll provide up-to-date IOCs.

When you find a piece of evidence, it’s important to analyze it. Your cybersecurity team has to determine whether it’s not a false positive and, if it’s not, assess how severe the situation is. Lastly, you need to set up an appropriate incident response plan. For example, automatic alerts should be enabled to notify the team of a possible security incident, while a containment plan should define how to efficiently isolate the affected system.

IOCs can be categorized in several ways. If you take the nature of the IOCs, you’ll find four main types:

• Behavioral. Behavioral IOCs, such as unusual account activity or spikes in networks, suggest that the system has been compromised.
• File based. They are related to specific files that can be identified through hash values or names that have been involved in malicious attacks previously.
• Network. Network-based IOCs can be seen within network traffic, such as IP addresses, domain names, and URLs associated with malicious sites.
• Host-based. Registry key changes, new user accounts, or disabled security features all constitute host-based IOCs, found on hosts such as individual computers.

Here are several indicators of compromise examples:

• Suspicious database queries. For example, a high number of user queries occurring in a short space of time, especially if sourced from the same device, is a clear red flag.
• Geographical anomalies. If your core user base is in the US, a sudden influx of traffic and requests from users in Dubai could be a strong indicator that an attack took place.
• Failed login attempts. To break into a network, an attacker may attempt multiple logins or requests before they access their target. The surge in failed login attempts can prove that someone tried to force their way into a company account.
• Suspicious admin activity. A malicious actor will likely start an attack by targeting administrative accounts using techniques such as pretexting attacks and SQL injections. It’s important to monitor admin accounts and carry out regular checks for unusual activity.
• Abnormal outbound traffic. While we’ve talked a bit about suspicious traffic coming in, a spike in data being transferred out of the network can also be indicative of data exfiltration.
• Unusual DNS requests. Multiple failed domain name server (DNS) lookups or a large number of queries to domains that are not associated with business operations is likely an attempt by malware to locate its command and control (C2) servers.
• Increased requests for the same files. A spike in read-and-write requests for the same sensitive files could indicate that an attacker is trying to exfiltrate data, so monitoring patterns of file access is an important part of finding IOCs.
• Unauthorized software. If there are signs that software was installed or updated without permission, especially applications used by software administrators, it’s likely a sign of a malicious attack.

An IOC can take many forms, some more convincing than others. They can be subtle, so ideally, you’ll be able to corroborate one IOC with others. Various tools, such as intrusion detection systems (IDS), machine learning, and AI, can help detect them efficiently. For example, not only endpoint detection and response tools can monitor endpoint and network events but they can also record the information in a central database that can later be analyzed further.

IOCs are sometimes confused with indicators of attack (IOA), but these terms have two distinct meanings. An IOC is like a footprint in a crime scene. It can help you understand what has already happened. But an IOA can identify and even prevent a cyberattack in real time. In other words, indicators of attack are like hearing someone break a window and calling the police. IOAs may overlap with IOCs, of course. Noticing a surge in suspicious database requests as they come in would be an IOA, while a log of the surge after the fact is an IOC.

Static or dynamic?

IOC is the evidence attackers leave behind. Like detectives have strict procedures for analyzing a crime scene, studying IOCs also has set patterns. While the IOCs themselves are primarily static, the tools for analyzing them evolve all the time. But IOAs are dynamic because how you protect your network depends on your company, processes, and the ever-changing cybersecurity landscape.

Proactive or reactive?

Indicators of attack are proactive and focus on noticing the behavior patterns of an attacker — you’re taking steps to ensure your system stays secure in the future. On the other hand, indicators of compromise are reactive because you have to take these pieces of evidence that indicate an attack took place and glue them into a cohesive story.

Different types of cyberattacks can leave various IOCs but discovering them should start with confirming that the evidence of the attack is real. If it is real, you will need to act quickly, so it’s better to have a plan prepared ahead of time. IOCs indicate that there was an attack, but it doesn’t mean that it’s over. Cybercriminals may still have access to your network, so detecting and containing the malware should be your first priority.

We’ve already talked about the importance of evaluating the severity of the breach, but learning from the incident is no less important. Setting up training to help employees recognize threats and even using honeypots to catch the attackers are just a few ways you can respond to an IOC.