Hackers often leave a subtle trail of evidence that can tell cybersecurity experts if an attack has occurred. If you know what you’re looking for, you can find these indicators of compromise (IoCs) in admin activity, DNS requests, and IP data. So what are they, and how can you spot an IoC?
May 06, 2020 · 4 min read
An IoC is a sign that an attack has already taken place; it’s the evidence of a breach having occurred. IoCs take many different forms, and knowing what to look for can help to limit the fallout of an attack.
Unlike other kinds of theft, a successful cyber attack can be hard to detect. Companies may not realize a data breach has occurred until long after the event. This could compound the consequences of a successful hack and leave you open to further exploitation.
If you're not aware that a hacker has compromised your server or database, you can’t limit the damage. You must be able to notify users if their information is stolen, but you can’t do that if you’re not certain a breach has even taken place.
You also need to be able to recognize the IoCs to allow for the implementation of preventative measures. If you have evidence of the attack, you can look for any weak points that might have facilitated it. You can even enact new security protocols to maintain better protection in the future.
IoCs are sometimes confused with indicators of attack (IoA), but these terms have two distinct meanings. The attack occurs before the compromise. Noticing an IoA will flag up an attack as it takes place, helping technicians to combat the assault in real-time. Finding an IoC can help you understand what has already happened.
IoAs may overlap with IoCs, of course. Noticing a surge in suspicious database requests as they come in would be an IoA, while a log of the surge after the fact is an IoC.
An IoC can take many forms, some more convincing than others. They can be subtle, so ideally, you’ll be able to corroborate one IoC with others. Here are five of the clearest IoC examples you’re likely to come across after a breach.
Suspicious database queries
Company databases are a favorite target for cybercriminals. They contain valuable information on customers, internal company records, and passwords. To access such databases, users send queries, so if you’ve logged an unusual spike in these communications, that could be an IoC. A high volume of requests occurring in a short space of time, sourced from the same device, is a clear red flag.
If the IoC suggests that a database was breached, it’s important that you carry out an audit of the data it contains. Does the database house user data or customer information? Could the hacker have accessed credit card details or passwords? The sooner you confirm the breach, the sooner you can contact users and prevent further damage.
Sometimes it’s clear that an attack took place, but the motivation is not immediately evident. Did a seemingly pointless DDoS operation crash a particular feature on a site and cause minor disruptions? Or could a much more serious attack have taken place elsewhere on the server? The attack you noticed could have been a diversion tactic.
An application layer attack is a classic example of this method. If you notice one, look elsewhere for IoCs in areas of the server or database that are likely to be more tempting targets.
Attackers will often mask their real locations by routing their traffic through shell IP addresses. This makes it harder for authorities to track them, but it can also act as a useful red flag.
If your core user base is in the US, a sudden influx of traffic and requests from users in Dubai could be a strong indicator that an attack took place. It’s worth keeping track of where the majority of legitimate server traffic comes from, so you can notice any anomalies.
Failed login attempts
Breaking into a network or server often involves a process of trial and error. An attacker may attempt multiple logins or requests before they access their target. To achieve this, they may use brute-forcing software that generates and stuffs random passwords until it finds a match. The surge in failed login attempts can prove that someone tried to force their way into a company account. However, it won't confirm whether or not they were successful.
Suspicious admin activity
If an attacker is launching an operation against a server or website, their first port of call will often be the administrative accounts. A malicious actor can commandeer these profiles using a variety of techniques: from pretexting attacks to SQL injections. Then they can exploit these accounts to launch further intrusions.
It’s important that you monitor admin accounts and carry out regular checks for unusual activity. The sooner you detect irregular behavior on a profile, the sooner you can revoke their administrative access.
Finding an IoC is useful, but it’s only half of the solution. You should be working to counter attacks before they occur. Here are three actionable steps to reduce the risk of compromise:
Want to read more like this?
Get the latest news and tips from NordVPN