Identifying a Breach: Finding Indicators of Compromise (IOC)

Identifying a Breach: Finding Indicators of Compromise (IOC)

Andrew Douthwaite

July 19, 2021

Last updated August 19, 2022

Summary:

  • Cybersecurity breaches like malware, phishing, and DDoS attacks) can cost organizations millions and damage their reputation beyond repair.
  • In addition to having a cybersecurity incident response plan and investing in employee cybersecurity training, organizations should routinely monitor their networks for IoCs and IoAs.
  • An IoC (indicator of compromise) is a piece of forensic data that might point to malicious activity on a network or system. IoCs might include system log entries, files, unexpected logins, or snippets of code.
  • An IoC points to a breach-in-progress—unlike an IoA (indicator of attack), which points to a breach that has already occured.
  • Common IoCs and IoAs include unusual outbound network traffic, geographic anomalies, login irregularities, unusual levels of traffic or file requests, suspiciously-timed network activity, configuration changes, and more.

Cybersecurity is more important than ever before: According to Government Technology, though 2020 saw an overall decline in the number of breach events, the number of breached records grew dramatically, and the number of ransomware attacks doubled between 2019 and 2020.

These troubling trends demonstrate why a robust yet adaptable cybersecurity stance is critical for all organizations, regardless of size or vertical. But how do you know if your organization has experienced a breach? In this article, we will discuss common types of cybersecurity breaches, and red flags you should look for that may indicate a breach has occurred.

If you have experienced, or are currently experiencing, a cybersecurity breach, please call our team immediately and consider reviewing our guide: Hacked? Here’s What to Know (& What to Do Next).

See also:

What Constitutes a Breach?

A security breach is like a break-in, but instead of breaking into your house or business, they break into your digital systems to steal personal information or sensitive documents or damage your network. However, there are steps you can take to best safeguard your digital assets, which include:

  1. Creating a cybersecurity incident response plan, reviewing it regularly, and updating it as necessary. Having a plan in place is critical because it allows you to respond quickly and lays out, in advance, who needs to do what should an incident occur.
  2. Investing in employee cybersecurity training. Even the best cybersecurity incident response plan is effectively useless if your team doesn’t understand why security is important, what role they play in it, and how to respond should an incident occur. All new hires should undergo training, and all employees from the CEO down should receive regular refresher training. 
  3. Regularly monitoring your network for suspicious activities. These suspicious activities, called IOCs or indicators of compromise, will be discussed in depth later in this article. 

Breaches Have Wide Reaching Consequences

Breaches cause more than headaches: to address the situation, you will likely need to pull critical personnel from other projects, hindering productivity and severely impacting your daily business activities. Depending on what data is stolen or what systems are compromised, you may also suffer financial damages in the form of regulatory fines or even lawsuits.

A poorly handled breach can cause permanent damage to your organization’s reputation, damaging consumer trust. 

Recent large-scale breaches include the Yahoo breach of 2014, the Equifax breach of 2017, and the Facebook security breach of 2019. Facebook is currently facing a class-action lawsuit, while the FTC and Equifax reached a global settlement that includes as much as $425 million to help individuals impacted by the breach. Yahoo faces paying for a settlement fund of $117,500,000 to affected individuals in the form of two years of credit monitoring, or in the case of individuals who already have credit monitoring in place, a cash payment. 

Common Types of Cybersecurity Breaches

Malware (Including Ransomware, Viruses, & Spyware)

Many cybercriminals rely on malware (malicious software) to infiltrate protected networks. The malware is often delivered via email or by tricking unsuspecting employees into downloading corrupted files from compromised or malicious websites. 

For example, an employee receives an email with an attachment, which infects your network when the attached file is opened or visits a compromised site and downloads the file directly. Once one computer is infected, the malware will likely spread to other areas of your network, sending sensitive data back to the attacker, laying the groundwork for a larger attack, or damaging your digital infrastructure. 

Phishing Attacks

Phishing attacks are designed to trick potential victims into believing they are talking with someone they trust (such as a colleague, their bank, or another trusted individual or institution) in order to hand over sensitive information (such as credit card numbers, usernames, passwords, etc.), grant the sender access to restricted areas of the network, or trick the target into downloading malware. 

For example, an employee might receive an email from someone pretending to work in your IT department asking them to reset their username and password, or from “their boss” requesting confidential files, or from “your company’s bank” warning that they have detected suspicious activity on a company credit card or in a company bank account, and requesting the recipient click on a link in the email to login and review the flagged transactions.

 In all three scenarios, criminals are acting as trusted individuals or individuals working on behalf of trusted institutions in order to trick unsuspecting email recipients. 

We discuss phishing attacks, and what you can do to avoid them, in our in-depth article: Don’t Let Phishing Scams Catch You Unaware

DDoS (Distributed Denial of Service) Attacks

DDoS attacks are designed to crash websites, preventing legitimate users from visiting them. Attackers do this by flooding websites with traffic, either by working with other attackers or by programming bots (software programs programmed to perform repetitive tasks) to hammer the server hosting the website with requests. 

DDoS attacks are considered security breaches because they can overwhelm your organization’s security defenses and severely curtail your ability to conduct business. Common targets include financial institutions or government bodies, and motivations range from activism to revenge to extortion. 

To learn more about hackers, who they are, and why they do what they do, please consider reading our article: The Modern Hacker: Who They Are, Where They Live, & What They’re After.

What are Indicators of Compromise (IOC)?

IOCs are pieces of forensic data, such as system log entries or files, that identify potentially malicious activity on a network or system. Like suspicious ink-stained fingers or an errant muddy footprint in a Sherlock Holmes book, IOCs are clues that help security and IT professionals detect data breaches, malware infections, or other suspicious activities. 

By looking for IOCs regularly, organizations can detect breaches as soon as possible and respond swiftly, limiting or even preventing damages by stopping attacks during their earliest stages. 

However, IOCs are not always obvious or easy to detect: they can be as obvious as an unexpected login or as complex as snippets of malicious code. Cybersecurity and IT analysts often look at a range of IOCs when trying to determine if a breach occurred, looking at how different IOCs fit together to reveal the whole picture. 

IOCs vs IOAs

IOAs (indicators of attack) are similar to IOCS, but instead of focusing on the forensic analysis side of a compromise that has already occurred, these clues aim to identify attacker activity while the breach is in progress. 

A proactive approach to security relies on both IOCs and IOAs to uncover threats or potential threats in as close to real-time as possible.

Common IOCs and IOAs

There are many IOCs and IOAs that IT and security analysts look for, but some of the most common include:

  1. Unusual outbound network traffic. This could indicate someone is moving sensitive files off the network.
  1. Anomalies in privileged user access accounts. A common tactic used by attackers is to either escalate privileges on accounts they have already compromised or use compromised accounts as gateways to more privileged accounts. By monitoring accounts with access to sensitive areas of your network, analysts can look out for signs of insider attacks or account takeover attacks.
  1. Geographic irregularities. If an employee logs out of their account from an IP address in Chicago, then immediately logs back in from New York, that is a huge red flag. Analysts also look for traffic between countries that your organization doesn’t have business dealings with.
  1. General login irregularities. Multiple failed login attempts or failed login attempts for accounts that don’t exist are both huge red flags. Analysts also look for irregular login patterns, such as employees logging in well after work hours and attempting to access files they don’t have authorization for, which likely indicate the account credentials have been compromised.
  1. Unusually high database read volume traffic. If an employee is attempting to download and read your entire personnel or credit card database, that likely means an attacker is attempting to access those sensitive files.
  1. A large number of requests for the same file. Breaches rely on trial and error a lot, so a large number of repeated requests for the same file (such as the credit card database we mentioned earlier) may indicate an attacker is testing out a variety of strategies in an attempt to gain access.
  1. Suspicious configuration changes. Changing configurations on files, servers, and devices may indicate an attacker is attempting to set up a network backdoor or adding vulnerabilities to aid a later malware attack.
  1. Flooding a specific site or location with traffic. Many attackers rely on bots for a variety of tasks and may recruit compromised devices on your network to do their dirty work. A high level of traffic from a number of devices targeting a specific IP address may indicate those devices have been compromised. 
  1. Suspiciously timed web traffic. Even the fastest typers can only type so fast, so if logs indicate that someone is trying thousands of password and username combinations a second, chances are an attacker is attempting to break into your network using a brute force attack

These are just some of the most common IOAs and IOCs that security and IT analysts use to look for signs of suspicious activity.

By monitoring your infrastructure and firewalls 24/7/365 for signs of a potential breach and keeping a watchful eye on your endpoints, you can gather the information you need quickly so you can respond to potential incidents as soon as possible. To help keep your network secure, VirtualArmour offers a variety of managed and consulting services and has extensive experience working with organizations in a variety of industries, including, but not limited to, healthcare, finance, retail, and energy as well as service providers

To learn more about how our experienced security analysts use IOCs, or to get started improving your security posture, please contact our team today

Post Categories

Related Posts