An indicator of compromise (IoC) is a piece of information indicating that a cyberattack may have breached an IT system. IoCs provide important knowledge about potential data breaches, allowing security teams to investigate incidents.
Typically, a computer security incident response team (CSIRT) uses IoCs to detect malware threats, implement sandbox security, and evaluate the accuracy of heuristic analysis. Indicators of compromise also help identify, prevent, or block attacks, reducing the damage to an organization.
This is part of our series of articles about vulnerability management.
In this article:
- How Can You Recognize the Indicators?
- 9 Examples of Indicators of Compromise
- Why You Should Monitor for Indicators of Compromise
- Indicators of Compromise (IoC) vs. Indicators of Attack (IoA)
- IoC Lifecycle
- Detection and Response
- End of Life
- Indicators of Compromise in Kubernetes
- Spikes in Container Memory or CPU
- Attachment to Cluster-Admin Roles
- Unusual User Activity
- Unexpected Processes
- Unexpected File System Changes
- IoC Security: Detection and Response
How Can You Recognize the Indicators?
Various events can indicate a security breach, including unusual network patterns, account activity, unknown files, and inexplicable configuration changes:
- Outbound traffic anomalies—cybersecurity analysts and system administrators can learn about potential breaches by tracking outbound network traffic. For example, installed spyware could be communicating with a command-and-control server or exfiltrating sensitive data. Traffic monitoring and intrusion detection tools can alert the security team to unusual network events.
- User account anomalies—attackers often exploit compromised user accounts to escalate privileges. Unauthorized users can gain access to privileged accounts using phishing and other social engineering techniques. If an organization doesn’t have a defense-in-depth strategy or strong access control measures based on the principle of least privilege, compromised accounts can easily lead to escalation attacks.
- Database anomalies—most companies store sensitive data in databases, making them an attractive target for malicious actors. If there is a spike in the database read volume, it might indicate that an attacker is trying to compromise the data.
- Geographical anomalies—traffic anomalies are not limited to spikes in bandwidth usage. If traffic originates from an unusual location, it could indicate malicious activity.
- Unauthorized registry changes—some malware can make registry changes. Establishing a baseline for the registry and system files can help identify suspicious changes associated with a malware infection.
- Leaked credentials—attackers can use stolen or leaked login credentials to launch cyberattacks. Monitoring for leaked credentials is important for identifying compromises.
Related content: Read our guide to vulnerability scanning process
9 Examples of Indicators of Compromise
Here are some common IoCs:
- Unauthorized access to system resources, such as servers or databases.
- Changes to system files or configurations that cannot be explained or that occurred without the knowledge of the system administrator.
- Network traffic patterns that are unusual or unexpected, such as a sudden increase in traffic from a specific IP address or domain.
- The presence of malicious software, such as viruses, trojans, or ransomware, on a system.
- Unauthorized access to sensitive data, such as customer records or financial information.
- User accounts that may have been compromised, such as through the use of weak passwords or social engineering techniques.
- Unexplained changes to system logs or other records.
- Unexpected or unauthorized changes to system configurations or settings.
- Mismatched port-application traffic that suggests that an unauthorized application or process is communicating over a network port that it should not be using.
Why You Should Monitor for Indicators of Compromise
Organizations should monitor for indicators of compromise (IoCs) to detect and respond to potential security incidents in a timely manner. Monitoring for IoCs can help organizations detect and respond to threats that could disrupt critical systems or services, such as malware or ransomware attacks. It also helps protect sensitive data, such as customer records or financial information, by blocking unauthorized access attempts.
Data breaches and other security incidents can damage an organization’s reputation and trust with customers, partners, and other stakeholders. Identifying IoCs can help organizations prevent or mitigate these types of incidents.
Recurring indicators of compromise (IoCs) are important because they can indicate that an organization’s systems or networks are being repeatedly targeted by the same threat actor or type of attack. This can be a sign of a persistent or advanced threat that requires more in-depth analysis and a more robust response.
Indicators of Compromise (IoC) vs. Indicators of Attack (IoA)
An indicator of attack (IoA) is similar to an IoC, except that it focuses on detecting malicious activity during a cyber attack rather than relying on forensic analysis after the attack has occurred. IoCs are reactive, helping to explain what happened after the fact. IoAs are part of a more proactive approach that investigates what is happening during an attack.
A robust security strategy leverages both types of indicators to identify threats as early as possible and support effective response measures.
The IoC lifecycle refers to the process of detecting, analyzing, and responding to potential security threats or incidents. It is an ongoing process for as long as the IoC is considered relevant.
The discovery phase is typically the first step in the IoC lifecycle, and it involves using various methods to identify potential threats or anomalies.
There are several ways that organizations can discover potential IoCs, including:
- Monitoring system logs: By analyzing system logs, organizations can identify unusual or suspicious activity that may indicate a security incident. For example, failed login attempts or access to sensitive data by unauthorized users may be indicators of compromise.
- Analyzing network traffic: By monitoring network traffic patterns, organizations can identify unusual or unexpected traffic that may indicate a security incident. This can include a sudden increase in traffic from a specific IP address or domain, or traffic that is using an unusual port or protocol.
- Running security scans: Organizations can use various types of security scanners to search for indicators of compromise, such as viruses, malware, or vulnerabilities in system configurations.
- Receiving alerts from security devices or software: Many security devices and software programs are designed to alert organizations when they detect potential indicators of compromise. These alerts can help organizations respond to potential threats in a timely manner.
This phase allows defenders to determine the best way to address an indicator of compromise. During the assessment phase, organizations can use various tools and techniques to gather more information about the potential threat, including:
- Malware analysis: If malicious software is suspected to be involved in the incident, organizations can use specialized tools to analyze the malware and determine its capabilities and intended effects.
- Network traffic analysis: By analyzing network traffic patterns, it is possible to determine the scope and nature of the potential threat. This can involve reviewing log files or using specialized tools to visualize traffic patterns.
- System analysis: Organizations can examine system files and configurations to determine if there has been any unauthorized access or changes. This can help organizations identify the extent of the potential compromise.
- Threat intelligence: Organizations can also use external threat intelligence sources to gather more information about the potential threat and its possible origins. This context helps inform more robust network defenses.
This phase involves sharing information about detected IoCs with specific individuals and other organizations or agencies in order to coordinate a response and help prevent future attacks.
There are several reasons why sharing IoCs is important:
- To improve cybersecurity: An organization can help others protect against similar attacks and improve their overall cybersecurity posture.
- To identify trends or patterns: Specific individuals and external contributors can identify trends or patterns in attacks that may not be immediately apparent. This can help organizations better understand the motivations and tactics of threat actors and develop more effective countermeasures.
- To aid in investigations: Sharing IoC information can also help law enforcement agencies investigate and prosecute cybercriminals.
The deployment phase typically involves deploying a range of security controls and implementing a defense-in-depth approach to security. Defense-in-depth is a security strategy that involves using multiple layers of security controls to protect against threats. It is based on the idea that no single control or defense is foolproof, and that a layered approach can provide a more robust level of protection.
Some examples of security controls that might be deployed as part of a defense-in-depth strategy include firewalls, access controls, encryption, and intrusion detection and prevention systems.
Detection and Response
This phase involves continuously monitoring for potential security threats and responding to them in a timely manner. Organizations typically use multiple tools and techniques to detect potential IoCs, such as monitoring system logs, analyzing network traffic patterns, and running security scans.
When a potential IoC is detected, organizations typically follow a set of defined procedures for responding to the threat. These procedures may include:
- Isolating the affected system or network: This can help prevent the spread of the threat to other systems or networks.
- Implementing countermeasures: Organizations can decide on an appropriate response to the threat, such as blocking suspicious network traffic, quarantining infected systems, or taking other corrective actions.
- Communicating the incident: Organizations may also need to inform relevant parties, such as employees, customers, or regulatory agencies, about the incident and any actions that are being taken to address it.
End of Life
The end of life of an indicator of compromise refers to the point at which the IoC is no longer relevant or useful for detecting or responding to security threats. This can occur for a variety of reasons, such as when a threat has been successfully mitigated or when the IoC is no longer accurate or effective.
There are a few key factors that can impact the end of life of an IoC, including:
- Changes in technology: As technology evolves, older IoCs may become less relevant or effective. For example, an IoC that is based on an outdated system configuration or software version may no longer be useful.
- Changes in threat landscape: The types of threats that organizations face can also change over time. As a result, some IoCs may become less useful as they are no longer indicative of the types of threats that organizations are encountering.
- Changes in an organization’s security posture: As an organization’s security posture improves, some IoCs may become redundant or unnecessary. For example, if an organization implements additional security controls or changes its network architecture, certain IoCs may no longer be applicable.
Indicators of Compromise in Kubernetes
Kubernetes is the world’s most popular container orchestrator, and is used by a majority of large enterprises to run many kinds of workloads, including mission critical production workloads. If you use Kubernetes in your organization, it is important to be aware of common IoCs in Kubernetes environments.
Spikes in Container Memory or CPU
Container memory and CPU spikes are common symptoms of hijacked Kubernetes resources. Resource hijacking is a popular attack technique when the attacker accesses the target’s computing resources and executes malicious actions.
Usually, these attacks consume significant resources—for example, attackers might hijack resources to mine cryptocurrencies. Cryptocurrencies require resource-intensive computations to process network transactions. Attackers can hijack Kubernetes clusters to set up an environment to perform crypto mining using containers.
Attachment to Cluster-Admin Roles
Hackers often attach to cluster-admin roles to escalate privileges within a Kubernetes cluster. Cunning attacks on Kubernetes environments often begin with some form of privilege escalation, followed by a string of malicious commands or further lateral movement across the network.
Topology maps help to identify this IoC indicator by revealing the average of all the images running with root privileges throughout the Kubernetes environment, whether it is in the cloud or on-premises.
Unusual User Activity
Unusual user activity is a common indicator of compromise in Kubernetes, revealing attackers early in the attack process. Some atypical user activity consists of legitimate actions, such as administrators opening shells in containers to troubleshoot issues. However, abnormal interactive activity is inherently suspicious, often indicating a malicious actor.
One way to mitigate malicious activity is to regularly check the course of user actions in Kubernetes and determine whether they match specific malicious behavioral patterns. Understanding user behavior also helps reduce false positives.
Containerized environments have certain security benefits, including that most binary processes are well known. Therefore, unknown or unexpected processes can indicate that an attacker is attempting to execute malicious commands or move laterally within the network.
Identifying this IoC requires granular visibility in container runtimes and runtime protection measures. It is easy to define the processes expected to run in each container, either automatically or manually (for instance, by profiling container images). Once the organization has defined the list of expected processes, it can specify runtime policies to allow containers to detect unauthorized binary processes.
Unexpected File System Changes
Unexpected changes in the directory or file system could indicate that attackers are running malicious code. Cybersecurity teams must use file integrity monitoring (FIM) to identify this type of compromise.
Attackers often leave signs of tampering with the host in configurations and system files. Identifying changes in these files allows organizations to identify system compromises quickly.
IoC Security: Detection and Response
Managed security providers and cybersecurity teams need to keep track of IoCs to help accelerate their response to suspected threats. Security experts can use IoCs and dynamic malware threat analysis to identify security breaches and address them immediately.
IoC monitoring allows organizations to minimize the damage incurred during an attack. Security teams use system compromise assessments to prepare for specific cybersecurity threats affecting an organization. This threat response approach is reactive, relying on actionable indicators of compromise to prompt remediation efforts.
However, identifying threats early on is crucial for blocking major attacks like ransomware that can cripple a business—the time it takes to respond determines whether the attack is a mere nuisance or a disaster.
An IoC security approach requires monitoring and investigation tools. IoCs are a reactive security resource, but they form a critical part of an organization’s overall security posture. Effective IoC security ensures that attacks don’t go undetected.