Understanding Indicators of Compromise and Their Role in Cybersecurity

Through a known vulnerability, a threat actor gains access to an organisation and begins to alter the network activity, running unusual enumeration commands. Then the threat actor uses stolen credentials to log into various applications within said network. The cybersecurity monitoring solution at work, in this case Arctic Wolf® Managed Detection and Response, subsequently picks up an IP address associated with Finland connecting to the network.

These specific pieces of information are indicators of compromise (IOC), or digital clues which serve as evidence that security has been compromised, and attack is either fully underway or has already happened.

What Are Indicators of Compromise?

An IOC is any data point that indicates a cyber attack is occurring or has occurred. IOCs can be anything from a malicious file to an IP address to a suspicious user login to a domain name that contains evidence of malicious activity. Threat intelligence researchers use them to understand threat actor trends, digital forensics teams often use them to find the root cause of a data breach, and tools like managed detection and response (MDR) normally have rule sets to alert for certain IOCs to prevent an incident from escalating.

IOCs often fall under four categories: network indicators, behavioural indicators, host indicators, and email indicators.

Network indicators include data or activity changes that have occurred on the network, and can include abnormal traffic, sudden user behaviour changes, repeated incorrect logins, or access from malicious IPs.

Behavioural indicators are tied to an individual user account and come in the form of unusual behaviour such as incorrect logins, unauthorised file access, unusual login times, logins from outside geographic boundaries, and more.

Host indicators can include file signatures, registry keys, network data, and other system-based data that can indicate to security teams that something is amiss.

Email Indicators are tied to emails and can include malicious details such as unknown senders, corrupted or malware-laden attachments, links to known malicious domains, and more.

In the example described at the start, the enumeration commands were consistent with the IOCs used by Ryuk ransomware. In that case, the IOC was discovered due to previous threat intelligence gathering and then applied to the suspicious activity happening within the network, allowing the organisation to realise that an incident was occurring. IOCs are often used, like in that example, to contextualise otherwise independent data points, helping paint a clearer picture of what’s happening within an organisation’s environment.

Common IOC Examples

IOCs can arrive in various forms but often carry distinctive signatures — like replicating behaviour seen by a known ransomware strain — that allow detection and response tools, when manned and monitored by cybersecurity professionals, to identify and act on them.

Indicators of compromise examples include:

• Anomalous network traffic, including inbound, outbound, or intra-network traffic that is not part of the normal traffic flow.
• Geographic irregularities within network traffic or user logins, such as a user accessing assets from a foreign country or an IP address seeking to connect to the network from a foreign country.
•  Unusual application activity, such as new or unknown applications appearing in the system or on an endpoint that were not authorised for download.
• Privileged account behaviour changes, like unusual or increased activity from privileged or administrator user accounts such as file transfers, setting changes, or even user permission changes.
• Frequent unsuccessful login attempts, which can occur at an unusual time, such as in the middle of the night, or contain repeated authentication requests.
• Increased file activity, including file requests or file name change requests that were unauthorised or appear as unusual — such as involving critical assets.
• Unauthorised configuration changes, such as setting changes within an application.
• Abnormal file modification, including but not limited to file compression, movement, or exfiltration that appears unauthorised or unusual. For example, a large bundle of critical assets suddenly being compressed or moved to another location within the network.
• Unauthorised file changes to signatures, registry, or specific configuration settings.
• Application changes, such as the installation or execution of unauthorised applications.
• Unusual or unauthorised user account changes, which can include accessing new file systems, logging in after hours, or attempts to change access.

While IOCs offer value, they are not the only evidence organisations use to respond to an attack. Indicators of attack (IOA) are often used in addition to IOCs as part of a robust detection and response strategy.

IOCs v IOAs

IOCs serve as clues or evidence that suggest a system has been breached or that an attack is underway. IOAs on the other hand, are detections of real-time threats, allowing security teams to predict and prevent attacks before they become serious incidents. Where IOCs rely upon recognising an attack signature, IOAs look for anomalous behaviour that may indicate the start of an attack.

From a threat detection perspective, IOAs are the first signals that an attacker is trying to gain a foothold in a network or system. If an attack advances beyond the initial stages, IOAs become precursors for subsequent stages where the attack can shift from attempt to actual compromise.

IOAs focus on an attacker’s intent, alerting on dynamic behaviour demonstrated through tactics, techniques, and procedures (TTPs), not specific threats or vulnerability types. IOCs differ in that they are typically used to respond to specific threats.

Indicators of compromise and indicators of attack provide security teams with critical context for detecting and responding to cyber attacks. The behaviour-focused detections of IOAs combined with the hard evidence provided by IOCs can help security teams to detect incidents faster, gather more information about an incident, and better analyse how threat actors are behaving both for broad analysis and real-time, organisation-specific response.

Indicators of Compromise in Cybersecurity

It can be difficult for an organisation to detect every possible IOC a threat actor can use. The 2024 Arctic Wolf Security Operations Report provides ten of the most common IOCs we identified in customer environments over a 12-month period. The majority of IOCs that comprise the list, seven of the 10, in fact, are identity based. The IOC we encountered most frequently includes restricted country login at the top of the list, with configuration alterations, including anomalous firewall change, and email forwarding rule addition as the second and third most-common IOCs we encountered.

IOCs continue to evolve and change as they are directly related to the constantly evolving nature of threats: malware strains appear and disappear, the expanding attack surface reveals new targets for exploit, and threat actors continue to shift their signatures in attempts to avoid detection. With all this change, the importance of visibility and telemetry within an environment remains constant. As the saying goes, you can’t protect what you can’t see.

While each of these indicators alone may provide limited value, it’s the correlation of multiple indicators that can lead a cybersecurity team to detect and mitigate an incident. When used in conjunction with an organisations detection and response solutions, such as endpoint detection and response (EDR), MDR, and extended detection and response (XDR), IOCs can help organisations better detect anomalous activity, thereby reducing overall detection and response times. Additionally, IOCs aid digital forensics and incident response teams in understanding how an incident unfolded and what is required in order to restore operations.

To summarise, the benefits to understanding and utilising IOCs include:

• The ability to detect incidents quickly
• Better, more precise monitoring for future events
• Stronger, more rapid incident response
• Threat intelligence sharing for better cybersecurity

No organisation exists in isolation, so utilising IOCs as part of shared threat intelligence not only helps your organizstion mitigate threats, but helps the broader cybersecurity community, and vice versa. IOCs artifacts are available through open-source platforms as well as through cybersecurity solutions and partners.

Working with a trusted partner like Arctic Wolf allows for 24×7 monitoring, detection, and response across your environment. Arctic Wolf utilises a broad spectrum of threat intelligence sources as part of Arctic Wolf Threat Intelligence, which draws from the Arctic Wolf Aurora Platform’s immense dataset that includes over 500,000 daily malware samples and more than 125,000 monthly SOC investigations that span virtually all threat surfaces, industries, geographies, and organisational sizes to deliver intelligence reporting and real-time threat feeds. Together, Arctic Wolf Threat Intelligence and Arctic Wolf® Managed Detection and Response enables swift detection of and response to anomalous activity.

Learn more about how Arctic Wolf works to investigate and interrupt incidents in progress.
Understand how an MDR solution can prevent incidents from turning into data breaches while helping your organisation further your security journey.