As organizations move to cloud-first or cloud-only strategies, they increase the number of data access points. Digital transformation increases customer engagement, reduces operational costs, and allows for organizations to scale. Simultaneously, these strategies increase your company’s threat landscape. More devices, Software-as-a-Service (SaaS) applications, and cloud assets also mean more potential attack vectors. In today’s connected world, data breaches are no longer an issue of “if,” they are a concern of “when.” To mitigate a data breach’s negative impact, you need to know the indicators of a compromise so you can respond more rapidly.
What are “indicators of a compromise”?
Indicators of a compromise (IoC) are the data collected that cybersecurity and IT professionals use as forensic evidence to identify, remediate, and respond to data breaches. While IoCs provide evidence over a data breach that already occurred, they also help organizations prepare strategies for preventing future attacks.
For example, malicious actors rarely create entirely new malware. In general, they take a pre-existing malware program, update it with a tweak here or there, and redeploy this as a “new attack.” However, these evolutions still follow the same basic behavioral patterns as their precursors. Thus, security researchers using IoCs can leverage the original malware programs’ techniques and behaviors to detect the “new” malware earlier, reducing the time it takes to identify and respond.
How do you identify an indicator of a compromise?
Often, identifying IoCs is difficult. Since most malicious activities hide as background programs, the digital artifacts they leave behind, or even don’t leave behind, often hide in complex system logs. For example, one malware downloaded a variety of components to devices and incorporated code that weakens security systems by preventing version updates, ultimately leaving the devices unpatched.
Identifying the IoCs can be done in a variety of ways. Security researchers look for social media posts, such as on websites like Reddit, for malicious actors detailing their strategies. They can apply technologies such as honeypots which are security mechanisms used to detect malicious activity. They can also look at organizational system logs, such as user access or network logs, for abnormal activity like a user logging in from an anomalous geographic location.
What types of anomalies indicate a compromised system?
Anomalies indicating a compromise can come in a variety of forms. As part of creating your cybersecurity program, you need to have an understanding of “usual” user, network, and application behaviors so that you can identify activities that fall outside normal business operations. As part of that process, you need to know who uses your devices and networks, how they engage with them, and what type of activity deviates from standard use. A few examples of common IoCs are listed below.
Traffic in and out of network
Malicious actors don’t just enter your network quietly. Cyber attacks intend to exfiltrate data, or remove it from its storage location. Therefore, monitoring for unusual traffic patterns leaving a network is a primary indicator of a compromise. Compromised systems often “talk” to the command and control servers that provide commands to infected devices.
Privileged account behavior
Privileged accounts, such as system administrator accounts, have more access to systems, networks, and software because they need to provide services such as software updates. Since they can access almost all digital locations, malicious actors target these accounts so that they can exfiltrate data without being noticed. A privileged account accessing sensitive information from an anomalous location or at an anomalous time is another indication of compromise.
Database read volume
Database volume is the amount of data stored on a hosted server. When looking for valuable information, malicious actors access databases and scan them for nonpublic personally identifiable information. As they do this, swells in the database read volume occur. One way to track database read volume is to enable database auditing and ensure that you can detect and document any changes to database objects, including who changes, deletes, adds, or reads a file.
Mismatched port-application traffic
A port number is the unique identifier of a network-based application on a computer used to communicate with the network or internet, similar to the user ID and login information that human users have. The operating system normally assigns these numbers to the application, but when malicious actors gain access to systems, networks, and software through a SQL attack, they often change the port numbers. To monitor for mismatched port-application traffic, you can search your HTTP protocol records and cross reference that with the MITRE ATT&CK uncommonly used port list.
Why automating monitoring strengthens security posture
Monitoring for indicators of a compromise can be both time consuming and prone to human error risk. The number of logs required and the number of places that security staff need to monitor these logs becomes burdensome, especially as organizations scale their digital footprints.
Automation can streamline the process reducing the time it takes to identify an IoC. The more rapidly an organization can identify a potential compromise, the less time malicious actors spend inside the network and the less information they can exfiltrate.
As part of creating a robust security posture, organizations increasingly adopt artificial intelligence (AI) and machine learning (ML) tools that can scan networks, systems, and software for irregularities. These tools then surface anomalies, reducing the noise and ensuring greater governance over the IT ecosystem.
SecurityScorecard alerts customers to IoCs
SecurityScorecard’s security ratings platform continuously monitors your systems, software, and networks for the types of irregularities that indicate a compromise. Our platform scans your ecosystem across ten risk factors looking for potential control weaknesses, such as port misconfigurations and database vulnerabilities, so that you can proactively secure information.
Our easy-to-read A-F scoring system gives you an overview of your organization’s security posture while also providing in-depth reporting for each of the ten risk factor groups. Our platform reduces the noise associated with false positives so that your security team can prioritize their efforts and address the largest risks facing your organization.