Indicators of Compromise
With communication infrastructures, one of the main concerns is preventing threats and any suspicious activity that could compromise the security of computer networks.
A security incident is defined as an adverse event that compromises or attempts to compromise the confidentiality, integrity, or availability of information.
The key to determining whether abnormal behavior is a (real or suspected) security incident is the preliminary analysis of the system state at a given moment. It involves checking multiple variables, such as increased network traffic, high CPU or RAM consumption, slow process response, execution of strange binary files, changes in configuration files, etc., which in combination help detect or conclude that something abnormal is happening and proceed with a response in accordance with the event typology.
Unfortunately, with this type of analysis, time can be the greatest enemy as information about the potential incident can come from different sources (manual system checks by the administrator, user notifications, alerts from different security and monitoring tools installed) and can be received and processed by different actors.
The time window during which this data is being obtained, correlated, and analyzed leaves the system exposed, while the incident can either lead to a greater impact or turn out to be a simple false positive, adding to the work of the incident response team.
Indicators of Compromise (IoCs) are used to identify a cybersecurity incident, malicious activity or artifacts using patterns that improve the capacity for action when facing such incidents. These patterns are pieces of evidence that may exist in networks or computers and can be taken advantage of to carry out an attack.
Indicators of compromise may include, for example, new files, registry modifications, or applications and software that have not been installed previously. By sharing this information, one can create a support network for a more effective response to attacks.
In other words, an indicator of compromise in the computer security context can be described as a model used to record, parameterize, compare, categorize, and share available information on the behavior of previously analyzed incidents, covering all the key variables and properties that could lead to effective detection and classification, so that only relevant elements are analyzed without wasting time on additional checks that offer no valuable results.
Importance
IoCs are important for communication infrastructures and devices because they help predict attacks by detecting vulnerabilities similar to those found in previously attacked devices on other computers. They can also be used to identify affected networks or endpoints attacks on which were not detected in time.
IoCs make it easier to develop security incident prevention plans and strengthen security systems for technology infrastructures, enhancing the defense provided by such applications as:
- Intrusion detection system (IDS)
- Intrusion prevention system (IPS)
- Firewall
- Antivirus
- SIEM
It is important to emphasize that an IoC is a live document (usually in XML format) for the exchange of information about cybersecurity incidents. In most cases, it is not definitive, but flexible and easily adaptable. This document can contain all types of evidence, whether specific to a system or common to all affected systems.
IoC Implementation Models
Although there is no internationally recognized standard, different IoC implementation models have emerged over time. Listed below are some of the commonly used models depending on the company’s needs:
- OASIS Cyber Threat Intelligence (CTI): This initiative is supported by some of the leading security product manufacturers and its goal is to define and standardize a set of information representations and protocols to address the need to analyze, model, and share cyber threat intelligence.
- IODEF (Incident Object Description Exchange Format) – RFC 5070: This format contains the basic description of an XML schema for the registration of technical variables related to known incidents and is used mainly by computer security incident response centers (CSIRTs). It is aimed at automation of incident data processing and providing a common format to build interoperable tools for incident management.
- OpenIoC (Open Indicators of Compromise): This extensible XML schema published under the Apache 2 license describes technical characteristics that identify a known threat, an attacker’s strategy, or other compromise evidence for the rapid detection of security breaches in a system. This initiative emerged as part of incident response tactics created by MANDIANT, a company globally known for their analysis of cyber espionage cases.
Most Common Indicators of Compromise
In the quest to detect data breaches faster, indicators of compromise can serve as important alerts to identify the progress of an attack and attempt to mitigate it in its early stages. The most common IoCs include:
- Unusual Network Traffic: It is considered one of the most telltale signs that something is wrong. Any abnormal movement detected in the traffic should be a red flag for administrators. Even though it may not be an attack, it must be verified that there are no vulnerabilities that could become an access point for one.
- User Account Anomalies: Changes in user behavior may indicate that the account in question is being used by someone else. Watching out for changes in activity time, systems accessed, type or amount of information processed can help detect a breach early.
- Geographic Irregularities: If user logins from locations that are not associated with the organization are detected or if the same user logs in from different IP addresses, it may be an indication of potential problems. In most cases, this means that an attacker uses a set of compromised credentials to log into sensitive systems.
- Red Flags: Failed login attempts using accounts that do not exist often indicate that someone is trying to guess credentials to access the system. Likewise, a successful login following numerous failed attempts may be a clue that it is not in fact the account owner who is accessing the data.
- Spikes in Database Read Volume: As an attacker tries to retrieve valuable information from a database, they will cause a huge swell in read volume, much higher than normally occurs with ordinary operations, indicating that valuable information is being extracted.
- Mismatched Port-Application Traffic: Attackers often take advantage of unusual ports to compromise devices and networks. If an application is using an unusual port, it could be a red flag.
- Suspicious System File Changes: When a device is compromised, some packet sniffing tool is often installed to capture network data. While the probability of detecting it is low, there is still a good chance to identify changes in the system that contains (hosts) the tool, since the attacker must make changes to the file registry to establish persistence. Defining what a normal file registry is supposed to contain and monitoring changes can significantly improve the security team’s response time.
- DNS Anomalies: Detecting a large increase in DNS requests from a specific host to external servers can be a good indicator of potentially suspicious activity. The unique patterns in this traffic can be recognized and serve as common IoCs.
Generally speaking, by learning to manage IoCs, you can understand how to protect the information underlying a communication infrastructure. These indicators can be used to create and improve a set of tools which can be key to identify and prevent cyber security incidents.
The power of IoCs lies in the sharing of incident-related information, allowing the security teams in charge to apply it in their systems. Less time spent repeating work that has already been done, tested, and shared in a trusted IoC means more time spent minimizing incident risks.
IoCs offer a baseline for the identification of different variables associated with security incidents or attacks, so that a potentially affected device can be compared against these parameters to provide a quick and effective response.