Indicators of Compromise (IOC)

Definition

• Indicator of Compromise (IOC): Evidence that a system has been breached or accessed by unauthorized individuals.
• Situations indicating high confidence of system compromise.

Examples of IOCs

• Unusual Traffic:
  • Large amounts of data transfer over a network.
  • Traffic from unexpected international locations.
  • Modified DNS information.
• Authentication Patterns:
  • Unusual login patterns or account lockouts.
  • Accounts locked due to excessive login attempts.
  • Account disabled without administrative action.
• Multiple Logins from Different Locations:
  • Simultaneous logins from geographically distant locations.
  • "Impossible" logins indicating potential misuse.
• Resource Consumption:
  • Spikes in network traffic due to unauthorized file transfers.
  • Firewall logs showing unexpected data transfer.
• Resource Inaccessibility:
  • Servers or network resources becoming unavailable due to attacks.
  • Encrypted data indicating ransomware infections.
• Unscheduled Logging:
  • Logs showing unplanned installation of patches or applications.
  • Out-of-cycle logging indicating unusual activities.

Implications and Responses

• Compromised Accounts:
  • Reset procedures should be robust to prevent impersonation.
• Log Analysis:
  • Monitor for missing log data as attackers may delete logs to hide activities.
  • Use logs to detect file transfers or unauthorized accesses.
• Data Breaches:
  • Private data appearing on the internet is a clear sign of compromise.
  • Often linked with ransomware attacks where data is exfiltrated before encryption.

Best Practices

• Implement strong password reset processes.
• Regularly review authentication logs for anomalies.
• Set up alerts for unusual network activity or file transfers.
• Ensure comprehensive logging and monitor for deleted or missing logs.
• Prepare for potential data breaches by safeguarding sensitive information.