What are Indicators of Compromise?
Indicators of Compromise:
Edmond Locard, a great criminologist had a principle, “every contact leaves a track”. This applies to cybercrime as well and Adversaries leave traces of their activities. An indicator which gives the clue that a cyberattack has occurred is “Indicator of Compromise (IoC)” .
“Indicator of compromise in computer forensics is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion.”
-wikipedia
They are “pieces of forensic data, such as data found in system log entries or files, that identify potentially malicious activity on a system or network.” Generally IoC is almost the same for the same individual gang/APT such that they aid Defenders in Detection of various attacks like data breach, malware infection and so on. Damage can be limited by stopping attacks in earlier stages. They are not always easy to detect.
Adversaries have evolved with time thus the IoCs are becoming difficult to detect. Common IoCs are: hash (md5,sha256,etc), C2 domains Or hard-coded IP addresses, registry key and filename. IoCs are not silver bullets rather they are the last resort in detection and prevention in the defender’s world. They come at the bottom of the “pyramid of pain” as they are constantly changing. Tweaking even a smallest parameter, the IoC can differ. Hence, They are not so much reliable. But saying that I’m not implying they are useless OR should not be used. There are slim chances that the adversaries are lazy and follow the same pattern in their attack, in this situation IoCs are the easiest and best way for detection.
Why are they Important?
They are necessary due to following factors:
- They Provide Valuable information on what has occurred
- They reveal the pattern so that defenders can be prepared for future attacks
- Due to such data, Defenders can prevent, detect and respond to similar attacks.
There are various indicators of compromise but not all are equally valuable, some just give the general information about who they are but some are valuable aiding defenders in detection.
Examples of indicators of compromise:
The following may be indicators of compromise:
- Unusual DNS lookup
- Geographic irregularities, such as traffic from countries or locations where the organization does not have a presence
- Suspicious files, applications, and processes.
- IP addresses and domains belonging to botnets or malware C&C servers
- A significant number of accesses to one file
- Suspicious activity on administrator or privileged user accounts
- An unexpected software update
- Data transfer over rarely used ports
- An attack signature or a file hash of a known piece of malware
- Unusual size of HTML responses
- Unauthorized settings changes, including mobile device profiles
- Large amounts of compressed files or data bundles in incorrect or unexplained locations
- Unauthorized modification of configuration files, registers, or device settings
Differences Between IoCs and Indicators of Attack(IoA)
The basic difference between them is that IoCs are the evidence after the incident has taken place while IoAs are the evidence that shows that the incident is happening or likely to occur. I will write more detail on this on my net article.
Thanks.
References:
https://encyclopedia.kaspersky.com/glossary/indicator-of-compromise-ioc
https://www.crowdstrike.com/cybersecurity-101/indicators-of-compromise/
https://academy.picussecurity.com/path-player?courseid=cyber-threat-intelligence&unit=5ff84d9418369c74e6103556Unit
