Indicators of Compromise (IOCs)

What is the Process for Identifying IOCs? 

The process for identifying IOCs is a process of poring through analytics and threat intelligence to identify anomalous behaviors that could be nefarious – or could be nothing at all. Again, analysts and investigators will need to rely heavily on context to make significant headway.

That said, not all processes to identify early indicators of a pending compromise will be the same or even similar. They’ll be business and use-case specific. Let’s take a look at some more common IOC identification methods:

• Operating system-specific malware persistence mechanisms and process injection methods: This strategy detects anomalies in behavior and communication by reviewing currently running processes, scheduled tasks, and common hiding places. 
• Attacker lateral movement: This strategy uncovers attacker pathways in real time by leveraging threat intelligence and user behavior analytics. 
• Common attacker tools: This strategy validates suspected compromise by finding evidence of attacker activity, including modified registry keys or executable files left behind. 
• Indicators derived from investigations: This strategy evaluates an exhaustive list of compromise indicators such as privileged user-account anomalies, geographical irregularities, or suspicious registry changes. 
• Environment-specific considerations: This strategy identifies any artifacts in the kill chain by taking the time to understand an environment and the relationships between users, hosts, and processes.

Examples of IOCs 

Since IOCs are essentially clues that can – after some digital forensics work – point to something nefarious, they can come in many shapes and sizes. Let's take a look at some examples of IOCs that can and should set off alarm bells: 

• Known bad IP addresses: This is a rather common IOC and can be ephermeral, as bad actors may frequently change IP addresses. 
• Malicious harsh values: These work to help identify viruses and breach attempts. Security teams can proactively blacklist malicious hashes if their threat intelligence is solid. 
• Tactics, techniques, and procedures (TTPs): TTPs cover things like malware, cryptojacking (using your assets to mine cryptocurrency), and confidential data exfiltration. 
• Domains: Domain name servers (DNS) logs will usually reflect anomalous request traffic that, if occuring with regular frequency, could be a strong IOC. 
• Network artifacts: From user accounts to logs to misconfigurations, there are many examples of artifacts that a threat hunter might see as an IOC and thus take a closer look. 
• Successful login after multiple failed attempts: Just because a user – or perhaps a machine – was able to successfully log into the network doesn’t mean they have the right to be there. A telltale sign of this would be if login was successful after several failed attempts.
• Network slowdowns: A network slowdown may be entirely due to something logical. However, it could also indicate heavier-than-normal activity, i.e. attack behaviors. 
• Exfiltration to an unknown, off-network location: Looking at process logs as well as job output and configuration might yield evidence of data exfiltration and compromise. 

Indicators of Compromise vs. Indicators of Attack

There are several overlapping concepts between IOCs and indicators of attack (IOAs). However, it helps to zoom in on key differences to understand why analysts would define an issue as either an IOC or IOA. 

IOCs are Typically Artifacts

We've spoken about artifacts previously, but it may help to add some context. Artifacts are usually historical in nature. They are digital footprints of a malicious event that has already occurred, and are found by performing threat hunts based on specific intelligence. Security analysts and threat hunters can also leverage outside artifact libraries to familiarize themselves with what to look for on their own networks.

After artifacts are found and determined to indicate a potential breach or ongoing threat, teams can put an incident response plan into action. The faster security practitioners can learn that a compromise has actually taken place, the faster they can determine what happened, respond, and – hopefully – have a better idea of the kinds of artifacts to look for in the future.

IOAs are Typically Signs of Impending Attack 

IOAs help keep attacks out of your organization’s history. They are signs that an attack could be imminent. With IOAs, teams are able to take more of an offensive stance, acting on extended detection and response (XDR) threat telemetry that goes beyond the network perimeter as attack surfaces stretch even further.

Interpreted correctly, IOAs will not only help teams respond to future or in-progress breaches, they can also help predict what an attacker might do and where they might go next. This can be incredibly helpful in prioritizing response and remediation efforts based on the systems being targeted and data attempting to be accessed and/or exfiltrated.

What are the Benefits of IOCs? 

The benefits of IOCs are many. Primary among them is they can help companies remediate breaches and perhaps provide context on the types of attacker behavior to look for in the future. Let's take a look at a few others: 

• Stop late-stage attacks: Sure, IOCs are typically artifacts of an attack that has already occured. However, artifacts could also point to just a completed stage of a larger attack that is still in progress – one that could still be stopped.
• Standardize prioritization: IOCs by themselves can be useful, but it also helps to have all the context you can possibly get. This helps to not only gain a clearer picture of attacker behavior, but also to prioritize which actions to take first and how best to stop the attack or prepare for the next one. Many solutions have a built-in capability to enrich IOCs with context so that teams can focus on the most critical vulnerabilities.
• Prevent fatigue: A solid risk-mitigation solution should be able to leverage IOCs into automated-response plans that prevent security teams from becoming overwhelmed by data analysis and potentially overlooking a dire threat.
• Create custom alerts: Understanding an organization’s IOCs can help a team to create specific and tailored security alerts within a platform or technology so they’ll know when artifacts of concern are found.

Why are IOCs Important for an Effective Managed Detection and Response Program? 

IOCs are important for an effective managed detection and response (MDR) program because it’s critical for an MDR provider to be able to identify IOCs across their entire customer ecosystem.

This helps the provider to spot trends in attacker behavior, build out net detections as IOCs are found, tailor incident response plans, and disseminate that information to their customer base so that those individual security organizations can implement IOC data into their own prevention technologies.

It’s also important for MDR programs to consider the efficiency gains and cost savings that can come with leveraging IOCs to inform breach response. Customer satisfaction is also a growth driver, particularly after successful implementation of an MDR provider-recommended plan or after a provider has automatically tested IOCs and applied them to customer logs to create alerts when those indicators pop up in their networks.

All of these aspects combine to help MDR providers retain customers, improve their own operations, as well as strengthen the larger security community by sharing findings.

Read More

• Rapid7 Blog: Year in Review: Rapid7 Threat Intelligence