Indicators of Compromises (IOCs) are pieces of forensic information used in cyber security to identify patterns, or for identifying common links across disparate patterns to understand if a breach of cyber security has occurred. Some examples of IOCs can be found below:
- Unusual Outbound Network Traffic
- Anomalies in Privileged User Account Activity
- Geographical Irregularities
- Log-In Red Flags
- Increases in Database Read Volume
- HTML Response Sizes
- Large Numbers of Requests for the Same File
- Mismatched Port-Application Traffic
- Suspicious Registry or System File Changes
- Unusual DNS Requests
- Unexpected Patching of Systems
- Mobile Device Profile Changes
- Bundles of Data in the Wrong Place
- Web Traffic with Unhuman Behavior
- Signs of DDoS Activity
Check your network logs for traffic which may show outbound connections from source addresses, connecting to unknown destination addresses for which shouldn’t be taking place, e.g. a local UK pnly business and its application server connecting to destination addresses outside the UK.
Privileged user accounts should be tightly controlled, monitored and audited. Typically these user accounts are used for special purposes, e.g. root access to a system to check log files. In this example, if the same privileged user account was exporting customer PCI data logs used by the system, this could be a indication.
See example for Unusual Outbound Network Traffic above.
Are there failed login events involving non-existent user accounts over consecutive login attempts.
Is there a surge in the database read volumes in comparison to normal or typical database reads. Monitoring significant increases in the amount of database reads, could indicate that database information is being modified by a threat.
Normal HTTP response sizes are relatively small depending on the use case. However if the HTML response size is significant, this could be a result of a SQL injection attack, e.g. testing for blind SQL vulnerabilities.
Particular files can be accessed frequently over a finite amount of time such as log files, however sensitive backup log files containing securely stored customer data with significant access requests could be an indicator.
Typically DNS traffic is transmitted over port 53 (TCP/UDP), however if there is activity showing DNS traffic through common open ports such as TCP port 80, this usually is an anomaly (unless the network has been configured this way, although this approach should not be recommended).
The registry is used by the system for storing registry keys (settings for system files, applications, etc.) and typically the registry only changes when called upon for system changes such as software installs, etc. However malware has known behavior in changing the registry by adding registry keys to maintain persistent configuration during system reboots.
See Mismatched Port-Application Traffic above.
Patching systems is and should be an encouraged activity to secure weaknesses in software, applications and systems against against vulnerabilities. Patching is typical within a change management process, however are there cases in which a system could be undergoing excessive patching activities, such as being configured to be more restricted and hardened by a hacker with privileged user account access.
Enterprises commonly use BYOD and manages this accordingly with policies and management platforms to install mobile profiles to control mobile activity. However is there indication that profiles are being installed to mobiles with relaxed profile settings.
Data-at-rest and data-in-transit should be controlled and monitored appropriately. Data should be used for its intended purpose and should not be used in unexpected ways, e.g. is there sensitive customer data being copied to non-approved cloud storage environments or removable drives.
A typical behavior witnessed by users is accessing single or multiple web pages over time. Sometimes there can be a large number of web pages requested by the user. However is there activity showing excessive or continious access requests to web resources across short periods of time, e.g. company intranet portal with significant Get requests over a couple of minutes.
Are network traffic logs showing multiple connections from disparate source IP addresses targeting critical assets over a consecutive and short period of time. In some cases, DDoS activity can be sustained for long periods of time depending on the attack methodology.