Through a known vulnerability, a threat actor gains access to an organisation, and begins to alter the network activity, running unusual enumeration commands. Then, to make a lateral move, the threat actor uses stolen credentials to log into various applications within said network. The cybersecurity monitoring solution at work, in this case Arctic Wolf® Managed Detection and Response, then picks up an IP address associated with Finland connecting to the network.
These moves, or behaviours, are classified as indictors of compromise (IOC), or digital clues and evidence that a threat actor is conducting a data breach.
IOCs are vital for threat intelligence and incident response, and a core piece of data in modern cybersecurity, especially when it comes to detecting and responding to incidents within an organization’s environment. Threat intelligence researchers use them to understand threat actor trends, digital forensics teams use them to find the root cause of a data breach, and tools like managed detection and response (MDR) often have rule sets to alert for certain IOCs in order prevent an incident from escalating.
The value is immense, but utilising that value starts with understanding what IOCs exist and the role they play in both the cybercrime and cybersecurity landscape.
What Are Indicators of Compromise?
An IOC is any data point that indicates a cyber attack is occurring or has occurred. IOCs can be anything from a file to an IP address to a user login to a domain name that raises suspicions and contains evidence of malicious activity. IOCs often fall under the categories of network indicators, behaviour indicators, file indicators, and artifact indicators.
In the example described above, the enumeration commands were consistent with the kind used by Ryuk ransomware. In that case, the IOC was discovered due to previous threat intelligence gathering and then applied to the suspicious behavior happening within the network, allowing the organisation to realise that an incident was occurring. IOCs are often used, like in that example, to contextualise otherwise independent data points, helping paint a clearer picture of what’s happening within an organisation’s environment.
Common IOC Examples
IOCs can arrive in various forms, but often carry distinctive traits — like replicating behaviour seen by a known ransomware strain — that allow detection and response tools, when manned and monitored by cybersecurity professionals, to identify and act on them.
IOC examples include:
- Unusual network activity including inbound, outbound, or intra- network traffic that is not part of the normal traffic flow.
- Geographic irregularities within network traffic or user logins such as a user accessing assets from a foreign country or an IP address seeking to connect to the network from a foreign country.
- New or unknown applications appearing in the system or on an endpoint that were not authorised for download.
- Unusual or increased activity from privileged or administrator user accounts such as file transfers, setting changes, or even user permission changes.
- An increased frequency of incorrect or attempted user logins. This could also occur at an unusual time, such as in the middle of the night, or contain repeated authentication requests common with multi-factor authentication (MFA) fatigue attacks.
- File requests or file name change requests that were unauthorised or appear as unusual — such as involving critical assets.
- Unauthorised setting changes within an application.
- File compression, movement, or exfiltration that appears unauthorized or unusual. For example, a large bundle of critical assets suddenly being compressed or moved to another location within the network.
While each of these indicators alone may not be particularly unusual or valuable, it’s the correlation of multiple indicators that can lead a cybersecurity team to suspect an incident. In addition, collecting these digital clues can help a digital forensics team understand how a breach occurred, not only helping an organisation recover but helping future organisations prevent the same kind of attack.
For example, Cl0p ransomware recently took advantage of the MOVEit file transfer vulnerability to attack multiple organisations this past year. Knowing that Cl0p is looking to exploit this vulnerability within this application, organisations have been and can continue be on the lookout for IOCs matching that behavior.
Indicators of Compromise vs. Indicators of Attack
While they have similar names, IOCs and indicators of attack (IOA) are different data sets. IOAs are used when a threat actor is attempting to gain access, whereas an IOC is used when access has been granted and the threat actor is now on the path toward a full-scale breach (be it a ransomware attack, data exfiltration, or another kind of attack). Both work together, as a security team that has flagged one or multiple IOCs may use common IOA data to try to stop the attacker’s next step.
Think of an IOA as a phishing email that appears in an inbox, and the IOC as the malicious code that starts working its way through a system. IOAs are also more general than IOCs and provide less information — a digital forensics expert can glean a lot more from a specific malware code than they can from an AI-generated phishing email.
Learn more about indicators of attacks and cyber attack patterns with the 2024 Arctic Wolf Labs Threat Report.
IOCs’ Role in Cybersecurity
IOCs help security teams detect incidents and can help mitigate the effects of an incident or data breach by alerting them to behaviour in near real time. They are critical, especially as cybercriminals turn to more complicated maneuvers, in helping an organisation defend itself.
Detection and response are two key words that are becoming essential in cybersecurity solutions. As organisations leverage endpoint detection and response (EDR), MDR, and extended detection and response (XDR), utilising IOCs allows the detection and response to happen swiftly and effectively. By keeping in touch with threat intelligence across cybersecurity, as well as cybercrime trends, security teams will be in a better position to detect and respond to incidents.
Specific benefits to understanding and utilising IOCs include:
- The ability to detect incidents quickly
- Better, more precise monitoring for future events
- Stronger, more rapid incident response
- Threat intelligence sharing for better cybersecurity
Every environment is unique to that organisation and their business operations. What may be unusual behavior for one may not be for another, so it’s important to make sure your detection and response tools are finely tuned, and your internal or external security teams know what to look for when monitoring the environment.
No organisation exists in isolation, so understanding IOCs not only helps your organisation mitigate threats, but helps the broader cybersecurity community, and vice versa. A major way to build that collaboration, which in turn improves your security posture, is by working with a trusted security operations provider.
Working with a trusted partner like Arctic Wolf allows for 24×7 monitoring and broad visibility into your environment, but the security experts at Arctic Wolf, particularly through Arctic Wolf Labs, are consistently engaging with global threat intelligence and sharing that intelligence with our customers, helping them identify IOCs and IOAs earlier. In addition, Arctic Wolf Managed Detection and Response is fine-tuned to your custom environment, meaning fewer, more actionable alerts that utilise known IOCs to create correlations and allow for swift detection and response.
Learn more about how Arctic Wolf investigates and interrupts incidents in progress.
Understand how an MDR solution can prevent incidents from turning into data breaches while helping your organisation further your security journey.
