Indicators of Compromise (IOCs): How They Work, How to Identify Them, and Why They Aren't Enough
Indicators of Compromise (IOC) are forensic clues and evidence of a potential breach within an organization's network or system. IOCs give security teams essential context in discovering and remediating a cyberattack.
Attackers can spend months within a compromised network without detection, so it’s crucial to monitor for any signs of compromise. Learn how IOCs work, common types and examples of IOCs, why they aren’t enough, and how to integrate them into a response plan.
How Do Indicators of Compromise Work?
An indicator of compromise is a broad term for any detected signal of a potential cyberattack. These are red flags of cyberattacks like malware or data breaches within a network or system.
An IOC is the cyber-equivalent of evidence left at a crime scene. They’re essentially digital versions of tire tracks, fingerprints, and broken windows.
Potential IOCs include unusual network traffic, privileged user logins from foreign countries, strange DNS requests, system file changes, and more.
When an IOC is detected, security teams evaluate possible threats or validate its authenticity. IOCs also provide evidence of what an attacker had access to if they did infiltrate the network.
What Is the Difference Between Indicators of Attack and Indicators of Compromise?
The main difference between indicators of attack (IOA) and IOCs is when it took place. IOAs happen in real-time, and IOCs tell an organization what has already happened. Think of an IOA as an attack in progress that security teams use to determine what is happening and why. Meanwhile, an IOC determines the extent of the breach after its containment.
What Are the Most Common Types of IOCs?
Depending on the size of your organization, it could have thousands of potential IOCs. Security teams should closet monitor and evaluate these common types of IOCs:
Unusual inbound and outbound traffic: An unusual level of traffic may indicate malware, DDoS attacks, network hijacking, VPN issues, and more.
Unknown locations: Receiving traffic from IP addresses outside of known geographic locations can signal a compromise.
Multiple login and authentication attempts: Brute force attacks create many failed login attempts.
Increased database activity: An increase in database read volume could be a sign of an attacker infiltrating and stealing data.
Unauthorized settings and system file changes: Attackers change settings to hide their presence and conduct their cyberattack.
Vendor security score change: Monitoring your third-party vendors for security changes is an important aspect of preventing supply chain compromise.
Real World Examples of Indicators of Compromise
The FBI released a flash report in early 2022 highlighting common IOCs associated with the infamous LockBit 2.0 ransomware attacks:
Language checks: According to the FBI, “LockBit 2.0 determines system and user language settings and only targets those not matching a set list of languages that are Eastern European.” It checks for 13 Eastern European languages, and if detected, the program exits without infecting the target system or computer.
Command line activity: LockBit 2.0 uses several commands to delete shadow copies, disable recovery, ignore boot failures, delete the system log, application log and shadow copies, and more.
Registry keys: LockBit 2.0 has a collection of registry keys to change a computer’s desktop wallpaper, encrypt data, and bypass user account control.
The report on LockBit 2.0 IOCs also includes created files, group policy updates, anti-recovery commands, IP addresses, network indicators, a ransomware note, and more.
Abnormal Security’s threat intel team identifies and researches email attacks to protect customers. Part of this process includes attack stories which include IOCs. In recent examples, we published an attack story on a tax prep scam using the Sorillus RAT. IOCs for the Sorillus RAT include specific file names, C2 IP addresses, email addresses, and domains.
We also covered a BazarLoader attack through a website contact form. IOCs include IP addresses and .log, .iso, and .lnk files.
How to Identify and Respond to IOCs
Identifying IOCs quickly is an essential part of a multi-layered cybersecurity strategy. Close monitoring of your network is a necessary step to prevent cyberattacks from fully infiltrating your system. Organizations need a network monitoring tool that logs and reports external and lateral traffic.
By monitoring IOCs, an organization is better able to detect problems quickly and accurately. It also gives way to speedy incident response to remediate the issue and aids the computer forensics process. Unfortunately, identifying IOCs usually means a compromise has already occurred. But these preventative measures can help mitigate damage:
Segment networks: If a network is infiltrated, segmentation ensures malware can’t spread laterally.
Disable command line scripts: Malware often spreads across a network from command line tools.
Restrict account privileges: Accounts with unusual activities and requests are a common IOC. Time-based access and permission restrictions help seal
Why IOCs Aren’t Enough
Monitoring networks for IOCs indicating cyberattacks isn't enough to protect an organization from threats. When cybersecurity technology identifies and blocks threats, attackers evolve their strategies to evade them. Relying on IOCs for detection, security, and prevention isn’t effective.
IOCs are useful to detect an attack that has already happened. It’s a reaction to a compromise, rather than a prevention of a threat.
Enterprises should certainly be familiar with IOCs for common cyberattacks. But cybercriminals and ransomware actors are sophisticated. Their attack strategies and payload deliveries evolve rapidly. Focusing on IOCs of a previous attack doesn’t prepare an organization for a future attack.
This is especially true in email security. Legacy security solutions focus on known indicators of compromise like suspicious URLs and malicious attachments. But modern email attacks like BEC rely on impersonation and social engineering methods. These tactics don’t have obvious red flags, so security approaches that rely on IOCs will struggle to detect them.
Ready to enhance your email security? Contact us today to try a demo and see how Abnormal Security can protect your organization.