The key indicators of compromise that organizations should monitor are listed below:
- Unusual Outbound Network Traffic
- HTML Response Sizes
- Geographical Irregularities
- Increases in Database Read Volume
- Log-In Red Flags
- Unexpected Patching of Systems
- Large Numbers of Requests for the Same File
- Web Traffic with Unhuman Behavior
- Suspicious Registry or System File Changes
- Unusual DNS Requests
- Mobile Device Profile Changes
- Bundles of Data in the Wrong Place
- Mismatched Port-Application Traffic
- Signs of DDoS Activity
- Anomalies in Privileged User Account Activity
Indicators of compromise (IOCs) are “pieces of forensic data, such as data found in system log entries or files, that identify potentially malicious activity on a system or network.” Indicators of compromise aid information security and IT professionals in detecting data breaches, malware infections, or other threat activity. By monitoring for indicators of compromise, organizations can detect attacks and act quickly to prevent breaches from occurring or limit damages by stopping attacks in earlier stages.
Indicators of compromise act as breadcrumbs that lead infosec and IT pros to detect malicious activity early in the attack sequence. These unusual activities are the red flags that indicate a potential or in-progress attack that could lead to a data breach or systems compromise. But, IOCs are not always easy to detect; they can be as simple as metadata elements or incredibly complex malicious code and content samples. Analysts often identify various IOCs to look for correlation and piece them together to analyze a potential threat or incident.
Indicators of attack are similar to IOCs, but rather than focusing on forensic analysis of a compromise that has already taken place, indicators of attack focus on identifying attacker activity while an attack is in process. Indicators of compromise help answer the question “What happened?” while indicators of attack can help answer questions like “What is happening and why?” A proactive approach to detection uses both IOAs and IOCs to discover security incidents or threats in as close to real time as possible.