If you’ve been in a security field that involves incident response/threat hunting, you’ve probably heard of the term “indicator of compromise” (IOC). In computer forensics, an IOC is an artifact that can be observed on a network or a host that indicates, with a relatively high level of confidence, a computer intrusion.
Not all artifacts from a cyber event will be considered an IOC. Artifacts that are left during an attempted, but perhaps not successful, intrusion are known as precursors. While an IOC can help to identify an intrusion that may have already occurred, a precursor can help to identify when an intrusion may be in the process of occurring.
What Do We Consider An Indicator of Compromise?
Indicators of compromise can range from a simple string to a series of actions performed in a certain order. Here is a comprehensive list of examples of different types of IOCs.
- IP Address
- Domain Name
- Website Name
- File Hash
- User/Account Name
- Service and Process Names
- Registry Key, Path, and Value
- Directory Path
- Virus Signature
- “Strings” within a file
- DNS txt record abnormalities
- Files referencing /etc
- System API Call
While those pieces of data can be easily found using a variety of security tools, there are also a number of behaviours that may indicate an instrusion.
- Unusual/Unaccounted for outbound traffic
- Unusual/Unaccounted for traffic between client networks (subnets)
- Privileged account anomalous usage
- User account active from anomalous IPs
- Excessive failed logins
- Activity from unexpected geographic regions
- Increased traffic to specific resource
- Baseline changes in RDBMS activity
- Change in web browsing requests / request habits
- Well known port vs. application usage
- Encryption should be used over normally encrypted ports
- Unexplainable Registry and File system changes
- Malformed, overy short, and anomalous DNS requests
- Patching that didn’t follow the official Change Management schedule
- Changes to mobile platforms
- Unexplained file creation
- Web Browsing spikes and anomalous traffic patterns during irregular times
- Service changes
- Anomalous account management activity
- Anomalous firetransfers
- Changes to file permissions
- Changes outside of normal maintenance hours
- Access to URLs outside of the Alexa Top 1 Million
- High CPU usage
There are a number of other behaviours that I’m sure you can think of that may also be an indicator of compromise. One of the best sources for techniques that that can be used to build a larger list of behaviours is the Mitre ATT&CK Enterprise Techniques matrix.
How Is This Information Valuable to a Security Professional?
Security monitoring is not a perfect science and relies on security professionals to create, tune, and update the various security tools that are used to detect information security threats, including a tool known as the Security Information and Event Management (SIEM) system. A SIEM is a key tool for Security Operations teams that ingests, manipulates, and displays logs from various services and provides security professionals a perfect tool for investigating security incidents.
Security professionals in the monitoring and detection role can use an indicator of compromise to build alerts and detection content based on real-world events and detections. This is an essential part within any SOC program, and is a proactive approach to cyber defense. Using IOCs in your environment is also a reactive approach to cyber defense, but can help to identify threats in your environment that may have been missed initially. For example:
A security professional will take a list of IOCs related to a recent data breach performed by Darkside, and investigated by FireEye. FireEye, like many security companies, publish intelligence data for use by others. The security professional will take that list and not only include those IOCs within existing detection content, but they'll also review historical logs for the aforementioned IOCs which can give the security team a limited amount of certainty that the environment wasn't previously impacted by a newly detectable threat.
IOCs are a type of open source intelligence (OSINT) and are available from many sources in many formats. You may get something as simple as a list of IP Addresses, however, there has been some work over the years to create a standard way of creating, storing, and sharing indicators of compromise.
Essentially, both STIX and TAXI offer the same results; they just do it in different ways. STIX uses relationships between objects to build intelligence, while TAXII utilizes collections within a more standard client-server distribution model. Many SIEM tools can ingest both STIX and TAXII feeds for automated intelligence gathering and for updating IOC block lists.