In this post, we’re going to be describing and getting an understanding of indicators of compromise. As the name suggests, an indicator of compromise, or an IoC, gives you an indication of when an attack or some kind of malicious activity has taken place. IoC is the technical data that is used in a tactical threat intelligence situation. It can also give you forensic evidence of any malicious activity, and it constitutes one of the key intelligence inputs for threat intelligence analysis.
Indicators of compromise can come from many sources, and they fall into the two categories of external agencies or internal sources.
The external agencies may be commercial or industry sources or free IoC sources you can get online, such as the IOC bucket and the MISP. For example. Examples of commercial or industry‑based IoC sources include your antivirus or antimalware vendors, and all of these will have a large library or collection of IoCs which are used. Some of the key free IoC sources available to us include the Malware Information Sharing Platform or MISP, and we’ve already discussed the AlienVault OTX, which is a great resource across many different areas. We also have a dedicated IOC Bucket, which also allows you to create your own IoCs and share them across the community. And then the Blueliv Threat Exchange Network is another great example of a free IoC source available.
There are several different ways that we can collect the logs and events that allow us to analyze and indeed spot the IoCs. And these may come from commercially available systems, some free-to-use systems. Such as internal logs and event viewers. Some of the key ones would include unusual outbound network traffic and geographical anomalies. Examples of this would be your account users who are logging on from foreign locations or conducting some form of risky signed‑in activity. You may also spot as an IoC multiple login failures, once again, looking at a potential attack that may be mounted against one of your user accounts. You can also spot anomalies in traffic, such as an increase in database read volume or HTML response sized anomalies, unusual DNS requests, and suspicious file and registry changes.
However, it is not exhaustive, which is why it’s very important to conduct baseline monitoring before you get to know your network, and then it’s far easier to spot unusual traffic or anything that constitutes an anomaly. You can build your own custom IoCs, and as an analyst, you can build this based on your own particular patterns or observations of your internal network. This can be built using the OpenIOC framework, which uses an extensible XML schema for scanning hosts.The great thing about this is that once it’s in place, you can also share this between the organizations, and there are some great online tools that will assist you in this. These include the IOC Editor, the IOC Bucket, once again, and ioc_writer. The indicators of compromise themselves will provide you with vital intelligence that can predict future threats and attacks and, of course, may also be very effective against a live system or network. When it comes to effectively using IoC data, you need to be able to define first and foremost the objectives of using the IoCs in your defense strategy. You can then identify the relevant and important IoCs from the resources that are available to you.
IoCs are split into two main categories:
Network-based indicators. These refer to everything related to network connectivity. The URL to a website is a malicious indicator. A domain can also be considered an Indicator of Compromise. An infection scenario might include that all requests made for a certain domain will get redirected to a malicious website. IP addresses can be used as alternatives to URLs. For example, they can be embedded inside malicious scripts to be used to download second-stage malware.Examples:
URL
Website
Domain
IP address
The second important category is host-based indicators, these artifacts that can be found on a computer system itself. A simple example would be the file name. Think about the computer virus that logs information about the host it infects in a specific file. That name would be considered an indicator. Second, the file path is also important. Windows-type malware uses specific locations in order to be auto-executed even after the computer restarts. A special breed of indicators are file hashes. These help us uniquely identify files based on their contents.Examples:
File Name
Path
File Fingerprint or Hash
File Extension
File Location
Account information could also be considered as an indicator. For example, logging in from different systems or locations using the same account could create suspicions.Example:
Account Name
Login Time
Account Privileges
Account Activity Logs
Account Location
It is important to identify the relevant and important IoCs from the resources that are available to you. You can also use the IoCs to identify any pivot points from the IoC data itself, and this could then identify vulnerable areas of your systems and networks. You can also use analytical tools to visualize the IoCs, and this is a great way to analyze and report. As with all reporting, it’s very important to know who your target audience and your leadership is going to be, and so you’ll need to determine the technical level and the level of dissemination for your particular report. And from a reporting side of things, there are several areas that we will be concerned with, the quality of your report and the curation of your report, to whom is it going, and also, we would need to consider the velocity and volume, the speed at which you are reporting and how much information you need to put in for your target audience.
We hope this post would help you understand the Indicator of Compromise (IoC). Thanks for reading this post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
You may also like these articles:
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.