Overview
This lecture covers the concept of Indicators of Compromise (IoCs) in IT security, detailing various signs and examples that may point to system breaches or unauthorized access.
Indicators of Compromise: Definition and Examples
- Indicators of Compromise (IoCs) are signs that suggest a system has likely been breached.
- Examples include unusual network traffic volume, modified file hash values, and unexpected international network connections.
- DNS changes or unusual file access patterns may indicate manipulation or unauthorized activity.
Account and Authentication Anomalies
- Account lockouts after failed login attempts can signal brute force attacks or impersonation attempts.
- Administrative disabling of accounts without proper authorization is a strong IoC.
- Attackers may intentionally lock accounts to trick help desks into resetting passwords.
- Simultaneous logins from distant locations are often impossible and indicate credential compromise.
- Reviewing authentication logs reveals unexpected or impossible login behaviors.
Malware and Update Interference
- Malware may block antivirus updates or security patches to maintain access.
- Inability to connect to security websites or download patches is a potential IoC.
Resource Consumption and Network Traffic
- Unexpected spikes in network traffic or data transfers at odd hours could indicate data exfiltration.
- Firewall logs can reveal unusual data transfers or connections.
Resource Unavailability and Service Failures
- Sudden inaccessibility of servers or resources may result from attacker activity or exploitation attempts.
- Data encryption or account lockouts can make resources unavailable, often linked to ransomware or brute force attacks.
Log File Anomalies and Deletion
- Out-of-cycle log entries, such as unscheduled software installations, are suspicious.
- Firewalls and systems may show odd traffic or unauthorized application changes in logs.
- Missing log data can suggest attackers have deleted evidence of their activities.
Data Exposure and Exfiltration
- Public appearance of private organizational data clearly indicates a data breach.
- Attackers may combine ransomware with data theft, threatening to release sensitive data if no payment is received.
- Stolen data may be discovered on public servers, alerting organizations of a breach.
Key Terms & Definitions
- Indicator of Compromise (IoC) — Evidence suggesting a system has been breached or is under attack.
- Hash Value — A unique string produced by a cryptographic algorithm used to verify file integrity.
- Brute Force Attack — Attempting many passwords or credentials to gain unauthorized access.
- Exfiltration — Unauthorized transfer of data out of the network.
Action Items / Next Steps
- Review and strengthen password reset and authentication procedures.
- Regularly monitor logs for anomalies and missing records.
- Investigate any unusual resource usage, account lockouts, or inaccessible resources.
- Schedule a review of network traffic patterns and firewall logs for abnormal activity.