Indicators of Compromise
Rajeev kumar
Director | Cyber Security Trainer | SME | Security Architect | Public Speaker | NGO | Founder
Indicators of Compromise
Indicators of compromise?(IOCs) serve as forensic evidence of potential intrusions, unusual activities on a host system or network.
§?These artifacts enable?(InfoSec) professionals to detect intrusion attempts or other malicious activities. Security researchers use IOCs to better analyze a particular malware’s techniques and behaviors.
§?Anomalous user behaviour, unwarranted file activities, unusual network traffic, and more
§?IOCs also provides actionable threat intelligence.
§?InfoSec professionals and IT/system administrators also employ various tools that monitor IOCs to help mitigate, prevent, breaches or attacks.
Some of these artifacts are found on event logs and timestamped entries in the system, as well as on its applications and services
DNS
§?DNS request anomalies
§?Tampered file, Domain Name Servers (DNS) and registry configurations as well as changes in system settings, including those in mobile devices
?
Data | Database
§?Rise in database read volume
§?Large amounts of compressed files or data bundles in incorrect or unexplained locations
?
Network
§?Unusual traffic going in and out of the network
§?Network traffic that traverses in unusually used ports
§?IP Addresses
§?Mismatched port-application traffic
§?Web Traffic with Unhuman Behavior
?
User Accounts
§?Anomalies in administrator or privileged user accounts, including requests for additional permissions
§?Other login red flags
§?An uptick in incorrect log-ins or access requests that may indicate brute force attacks
§?Dubious log-ins, access, and other network activities that indicate probing or brute force attacks
领英推荐
?
Geographical irregularities
§?Irregular activities such as traffic in countries an organization doesn’t do business with
§?Traffic Congestion at a Specific Site or Location
?
Files | Applications
§?Unknown files, applications, and processes in the system
§?Anomalous spikes of requests and read volume in company files
§?Suspicious registry or system file changes
§?Increased request for the same file
Others
§?Large amounts of compressed files and data unexplainably found in locations where they shouldn’t be
§?Vulnerability Exploitation
§?Malware Exploitation
§?Cyber Threat Signatures
§?HTML response sizes
§?Unauthorized settings changes, including mobile device profiles
§?Unexpected Patching Of Systems
§?Signs Of DDoS Activity
§?Domains, URLs, hashes, e-mail addresses or file names.
Indicators of Attack (IOA)
§?Credential Theft
§?Credential Exploitation
§?Lateral Movements
§?Data Exfiltration
§?C&C Communication