What Are Indicators of Compromise (IoC)?
An indicator of compromise (IoC) is a piece of information indicating that a cyberattack may have breached an IT system. IoCs provide important knowledge about potential data breaches, allowing security teams to investigate incidents.
Typically, a computer security incident response team (CSIRT) uses IoCs to detect malware threats, implement sandbox security, and evaluate the accuracy of heuristic analysis. Indicators of compromise also help identify, prevent, or block attacks, reducing the damage to an organization.
This is part of our series of articles about vulnerability management.
In this article:
How Can You Recognize the Indicators?
Various events can indicate a security breach, including unusual network patterns, account activity, unknown files, and inexplicable configuration changes:
- Outbound traffic anomalies—cybersecurity analysts and system administrators can learn about potential breaches by tracking outbound network traffic. For example, installed spyware could be communicating with a command-and-control server or exfiltrating sensitive data. Traffic monitoring and intrusion detection tools can alert the security team to unusual network events.
- User account anomalies—attackers often exploit compromised user accounts to escalate privileges. Unauthorized users can gain access to privileged accounts using phishing and other social engineering techniques. If an organization doesn’t have a defense-in-depth strategy or strong access control measures based on the principle of least privilege, compromised accounts can easily lead to escalation attacks.
- Database anomalies—most companies store sensitive data in databases, making them an attractive target for malicious actors. If there is a spike in the database read volume, it might indicate that an attacker is trying to compromise the data.
- Geographical anomalies—traffic anomalies are not limited to spikes in bandwidth usage. If traffic originates from an unusual location, it could indicate malicious activity.
- Unauthorized registry changes—some malware can make registry changes. Establishing a baseline for the registry and system files can help identify suspicious changes associated with a malware infection.
- Leaked credentials—attackers can use stolen or leaked login credentials to launch cyberattacks. Monitoring for leaked credentials is important for identifying compromises.
Related content: Read our guide to vulnerability scanning process
Indicators of Compromise (IoC) vs. Indicators of Attack (IoA)
An indicator of attack (IoA) is similar to an IoC, except that it focuses on detecting malicious activity during a cyber attack rather than relying on forensic analysis after the attack has occurred. IoCs are reactive, helping to explain what happened after the fact. IoAs are part of a more proactive approach that investigates what is happening during an attack.
A robust security strategy leverages both types of indicators to identify threats as early as possible and support effective response measures.
Kubernetes IoC Examples
Kubernetes is the world’s most popular container orchestrator, and is used by a majority of large enterprises to run many kinds of workloads, including mission critical production workloads. If you use Kubernetes in your organization, it is important to be aware of common IoCs in Kubernetes environments.
Spikes in Container Memory or CPU
Container memory and CPU spikes are common symptoms of hijacked Kubernetes resources. Resource hijacking is a popular attack technique when the attacker accesses the target’s computing resources and executes malicious actions.
Usually, these attacks consume significant resources—for example, attackers might hijack resources to mine cryptocurrencies. Cryptocurrencies require resource-intensive computations to process network transactions. Attackers can hijack Kubernetes clusters to set up an environment to perform crypto mining using containers.
Attachment to Cluster-Admin Roles
Hackers often attach to cluster-admin roles to escalate privileges within a Kubernetes cluster. Cunning attacks on Kubernetes environments often begin with some form of privilege escalation, followed by a string of malicious commands or further lateral movement across the network.
Topology maps help to identify this IoC indicator by revealing the average of all the images running with root privileges throughout the Kubernetes environment, whether it is in the cloud or on-premises.
Unusual User Activity
Unusual user activity is a common indicator of compromise in Kubernetes, revealing attackers early in the attack process. Some atypical user activity consists of legitimate actions, such as administrators opening shells in containers to troubleshoot issues. However, abnormal interactive activity is inherently suspicious, often indicating a malicious actor.
One way to mitigate malicious activity is to regularly check the course of user actions in Kubernetes and determine whether they match specific malicious behavioral patterns. Understanding user behavior also helps reduce false positives.
Containerized environments have certain security benefits, including that most binary processes are well known. Therefore, unknown or unexpected processes can indicate that an attacker is attempting to execute malicious commands or move laterally within the network.
Identifying this IoC requires granular visibility in container runtimes and runtime protection measures. It is easy to define the processes expected to run in each container, either automatically or manually (for instance, by profiling container images). Once the organization has defined the list of expected processes, it can specify runtime policies to allow containers to detect unauthorized binary processes.
Unexpected File System Changes
Unexpected changes in the directory or file system could indicate that attackers are running malicious code. Cybersecurity teams must use file integrity monitoring (FIM) to identify this type of compromise.
Attackers often leave signs of tampering with the host in configurations and system files. Identifying changes in these files allows organizations to identify system compromises quickly.
IoC Security: Detection and Response
Managed security providers and cybersecurity teams need to keep track of IoCs to help accelerate their response to suspected threats. Security experts can use IoCs and dynamic malware threat analysis to identify security breaches and address them immediately.
IoC monitoring allows organizations to minimize the damage incurred during an attack. Security teams use system compromise assessments to prepare for specific cybersecurity threats affecting an organization. This threat response approach is reactive, relying on actionable indicators of compromise to prompt remediation efforts.
However, identifying threats early on is crucial for blocking major attacks like ransomware that can cripple a business—the time it takes to respond determines whether the attack is a mere nuisance or a disaster.
An IoC security approach requires monitoring and investigation tools. IoCs are a reactive security resource, but they form a critical part of an organization’s overall security posture. Effective IoC security ensures that attacks don’t go undetected.
Detecting Indicators of Compromise with Aqua Cloud Native Detection and Response
Using Tracee, an open source tool that identifies suspicious behavior in runtime, you can detect various indicators of compromise and, specifically,a fileless execution technique. Tracee analyzes events collected at the kernel level in real time using eBPF technology. The signatures act as behavioral indicators developed by Aqua Nautilus, security research team exclusively focused on cloud native software. See the complete open source signature list here.
Based on thousands of real-world examples, Aqua Nautilus produces new behavioral indicators of attacks, which power the Aqua Cloud Native Detection and Response (CNDR) solution.
We recommend using Aqua Cloud Native Detection and Response (CNDR) to detect Indicators of Compromise such as fileless malware attacks and benefit from additional enterprise-grade features. Aqua CNDR is part of the Aqua Platform’s runtime capabilities and is built on top of Tracee, with a larger database of behavioral indicators, comprehensive, easy user interface, and enterprise-level support. For example, with Tracee you have more than 10 default rules while with Aqua CNDR you can take advantage of 100+ security signatures.