It’s no secret that the world is more interconnected via the global network than ever before. As the cyberspace continues to expand and evolve, unfortunately cyberattacks have also rapidly expanded and evolved. In fact, Cybercrime Magazine estimated cybercrime inflicted damages of over $6 trillion USD worldwide in 2021. Thus, it is more important than ever that organizations invest in optimizing cyber threat hunting methods and leverage Indicators of Compromise (IoC) to prevent costly attacks.
What is an Indicator of Compromise?
The goal of a cyberattack is to try to go undetected to infiltrate whatever target they have been given or chosen. These attacks often have characteristics unique and abnormal to the usual traffic large government or telco networks maintain. These characteristics can be classified as Indicators of Compromise (IoC); IoCs have been a vital information source to cybersecurity teams for quite some time. Some examples of specific information that can used as an Indicator of Compromise include:
- IP addresses
- Digital footprints or identifiers that give a clue about the attacker’s identity or method
- Malicious code injections or software programs
- Hash digests (i.e., fixed-length strings of hexadecimal characters) associated with known threats
- URLs and domain names
How Do Indicators of Compromise Work?
IoCs are traces of activity from any type of attack that can be collected in flow data (NetFlow, IPFIX or Zeek) or log files for further investigation. They are often referred to as “forensic data” as they are used by security teams to trace any abnormal activity they see back to the raw packets via their visibility fabric. This forensic data can be used to prevent attacks from happening or signal that an attack is in process and needs to be addressed.
Hence, Indicators of Compromise are markers used to indicate your network has been potentially compromised. It is helpful to understand examples of IoCs in common daily activities. Receiving an email for a specific login attempt from an unknown device is an example of an IoC. Slow network connectivity and slow internet web page browsing (typically measured via latency between packets within a flow) is another common example of an IoC. For this article, we will be focusing on IoCs in the context of large networks used to support critical infrastructure for entities such as government agencies and telco service providers.
Example IoCs Based on the Type of Cyber Attack
Each cyber attack may function differently, but Indicators of Compromise can be identified for almost any type of attack. Here’s some examples of attacks that may produce IoCs.
Malware
Malware is malicious code such as viruses, ransomware, and worms that disrupts our computer network, server, and client devices. The intention is to gain unauthorized access to the system, leak or steal sensitive information, or cause total (or partial) service disruption. Often times malware may contain common attributes that can be spotted entering a network, which would be considered an IoC.
Botnet Campaigns
A ‘Botnet’ (short for ‘robot network’) is a collection of network-connected devices that have been compromised and work as a swarm. Unlike malware of the past, in which independent singular devices were programmed separately to attack, botnets are centrally coordinated by a bot-herder or Command and Control (C2) server. Typically, a botnet attack can get thousands of devices infected without obvious evidence of its existence. Certain characteristics within the C2 server communication can be used as IoCs to spot similar activity among infected devices.
Distributed Denial of Service (DDoS)
A DDoS attack is a cyber-attack whereby the attacker makes it impossible for legitimate users to access computer resources by flooding the server or network services with traffic. This overwhelms the victim’s network, making it impossible for anyone else to access valuable resources. This network flooding event would be considered an obvious IoC.
How does Encryption Affect IoCs?
Along with the evolution of the internet and cyberattacks brought the evolution of data protection. This focus on consumer privacy lead to a rapid increase in encryption. Data, or plaintext, is typically wrapped in an encryption algorithm that can only be unlocked with a key. Many security professionals would agree that this is a net positive in the protection of confidential data but for threat mitigation and cyber security teams, it can present significant challenges.
So how can you find Indicators of Compromise for data that you can’t see? The response to that is JA3 signatures (or JA3 fingerprints). Using the TLS handshake that occurs between a client and a server, details extracted from this interaction can be used to produce a unique JA3 fingerprint. Threat detection tools can use the JA3 fingerprint to identify potentially threatening traffic so that SecOps teams can inspect these traffic flows in deeper detail.
3 Common Indicators of Compromise
When it comes to identifying Indicators of Compromise, there is a treasure trove of datapoints that can be classified as an IoC. There are plenty of characteristics of network traffic that can be used as markers by IT teams to identify threats. Here are some common Indicators of Compromise that may be the key breadcrumbs to finding cyber attacks.
Abnormal Outbound Network Traffic
One of the most common tell-tale signs of a cyber threat is unusual traffic leaving the network. Experts consider this to be an easier IOC to monitor due to the fact it should stand out from typical internal traffic. IT teams can spot the unusual outbound traffic and monitor if anything coming in and out is awry.
Geographical Irregularities
Geolocation stamps for login attempts can raise red flags if the location is not familiar to an organization. Security teams can spot IP address locations and react if they see an interaction such as accessing a file or logging into a database. This could be an external attack trying to infiltrate a network.
Anomalous Privileged User Account Activity
Privileged user accounts are any accounts used within an organization that have access to important and/or private information and applications that may be important to the organization. IT teams may spot odd activity, such as allowance of unknown accounts with special privileges or authorizations.
Take Action Now!
Indicators of Compromise are imperative to helping IT professionals and security teams identify anomalous activity. Whether an attack has happened or is in process, your network and security procedures need to be up to date and up to scale. Cybercriminals continue to evolve and so should your security methods and equipment.
For maximum visibility using advanced threat hunting techniques, NetQuest’s Streaming Network Sensors monitor large-scale enterprise and telco networks, inspecting all encrypted and unencrypted traffic. The sensors extract detailed information, including potential Indicators of Compromise, from each network conversation and export unsampled flow records to be used to detect any anomalies that may be present in your network.