Indicators of Compromise: Their Role in a Company’s Information Security
Editor’s note: In the article, Sergei explains how ScienceSoft uses the Indicators of Compromise (IoCs) to point out the signs of network insecurity. Read on to get some useful tips! And if you want to ensure well-rounded network protection, you are welcome to explore a dedicated offer prepared by ScienceSoft’s pentesting team.
Given a pandemic escalation of security breaches, cybersecurity service providers and security staff concentrate their efforts on early detection of cyberthreats. To get the signs that a network is insecure as soon as possible, IS specialists employ indicators of compromise (IoCs). Let’s straighten out their value and downsides for a company’s information security.
What is IoC?
Indicators of compromise point out potentially malicious activities on a system or network and artifacts that with high confidence indicate a computer intrusion.
The examples of suspicious activities may serve unusual traffic patterns between internal systems, unusual usage patterns for privileged accounts, administrative access to your network from unsuspected geographical location. Digital artifacts comprise suspicious IP addresses and host names, URLs and domain names of botnets, MD5 hashes of malware files, virus signatures, Windows registry entries, network processes and services.
Security administrators find indicators of compromise in host logs, as well as network device logs. Ones identified, IoCs are applied for the detection of future attacks using automated security solutions (SIEM systems, antiviruses, IDS/IPS, HIDS/HIPS).
IoC sources
There are two sources of IoCs: external and internal.
External IoC repositories include commercial sources, as well as free ones. Different information security consulting vendors (RSA, Norse, McAfee, Symantec, to name a few) and security research teams (IBM X-Force) provide IoCs to their customers on a commercial basis. In addition, IoC data is shared by several Information Sharing and Analysis Center (ISAC) groups in several industries. For example, FS ISAC (finances), R-ISAC (retail), IT-ISAC (IT).
Free IoC sources can be found on dedicated sites, for example, IoC bucket. This website allows downloading and getting additional information about various indicators of compromise, as well as encourages to upload new IoCs and share them with the IT community.
Another great source of IoC data is Google. Security specialists make use of the Google Alerts service or even simple Google search to generate relevant results.
A major disadvantage of external indicators of compromise is that they may generate false positive when applied to a particular environment. Therefore, corporate information security specialists assume the roles of detectives and develop custom IoCs for their networks and hosts.
A Dark Reading author Ericka Chickowski describes in her article 15 key indicators of compromise:
- Unusual Outbound Network Traffic.
- Anomalies in Privileged User Account Activity.
- Geographical Irregularities.
- Log-In Red Flags.
- Increases in Database Read Volume.
- HTML Response Sizes.
- Large Numbers of Requests for the Same File.
- Mismatched Port-Application Traffic.
- Suspicious Registry or System File Changes.
- Unusual DNS Requests.
- Unexpected Patching of Systems.
- Mobile Device Profile Changes.
- Bundles of Data in the Wrong Place.
- Web Traffic with Unhuman Behavior.
- Signs of DDoS Activity.
This list is not exhaustive. Usually, information security specialists create new IoCs based on the information from conferences, additional reading on newly discovered vulnerabilities and previous incidents.
IoC value
IoC data allows information security specialists to determine that the network has already been compromised and get details on what happened, who was involved and when the attack occurred.
Information security consultants integrate indicators of compromise into automated security solutions (for instance, SIEM systems, IDS/IPS, HIDS/HIPS, antiviruses) providing additional evidence on whether the item in question is malicious. Having collected and implemented indicators of compromise for a particular threat, security professionals can scan through the network searching for any of those. The presence of files with a certain hash or running processes under a particular name is a sign that the network has been compromised.
IoCs to confront APTs
Indicators of compromise act as red flags that signal information security professionals about a potential or ongoing cyber-attack. In particular, they are helpful to hunt down APTs (advanced persistent threats). An APT attack usually bypasses traditional security technologies, as its signals are very weak. Before discovered, an APT may last for a year in a latent form. IoCs allow information security specialists to detect an APT presence and stop data exfiltration. Here follow some examples of common IoCs to detect Carbanak (an APT-style campaign majorly targeting financial institutions):
- Connection to Command and Control servers located in a suspicious location (China, in particular).
- Successful execution of a new remote code in the network, which leads to Carbanak installation on the victim’s system.
- Writing into a file path through sensitive system directories, such as System 32. Carbanak, for example, copies itself into “%system32%com” with the name “svchost.exe” with the file attributes system, hidden and read-only.
- Emergence of new services or autostarts. Carbanak, for instance, creates a new service to ensure it has autorun privileges.
- Presence of remote administrator tools (RATs). Carbanak attackers use Ammyy Admin RAT because it is commonly used by administrators and, therefore, is whitelisted.
- Presence of remote logins. In case of a Carbanak attack, logs for RAT tools suggest that they were accessed from two different IPs, used by the attackers, and located in Ukraine and France.
- Presence of unusual IT tools. Carbanack attackers use additional tools, such as Metasploit, PsExec, Mimikatz, to gain control of the victim’s network.
IoC limitations
IoCs improve a company’s security posture by focusing on the forensic analysis of a compromise that has already taken place. This is rather reactive than a proactive approach. Such indicators assist in preventing repeated and constant threats, but they are not designed to detect new or modified threats, for example, malware free attacks or zero-day exploits.
However, most of the attacks, including APT, use scenarios that somebody has already exploited in similar security breach cases. That is the reason why the IT community documents and actively shares indicators of compromise for incidence response and computer forensic improvement.