Explore how organizations can effectively transform indicators of compromise into actionable intelligence, enabling proactive threat detection and efficient incident response.

 In today's complex cybersecurity threat landscape, the ability to detect and respond quickly to threats can mean the difference between a minor security incident and a large-scale data breach. Indicators of compromise (IOCs) act as digital breadcrumbs left by threat actors during their attack operations. They provide security teams with valuable insights into ongoing or past attacks. By grasping the nature of IOCs, their various types and the methodologies for leveraging them, security professionals can significantly enhance their defensive capabilities against evolving cyber threats.

What is an indicator of compromise?

Indicators of compromise (IOC) are forensic artifacts left by cybercriminals when exploiting target systems or networks. They are crucial to the work of Computer Security Incident Response Teams (CSIRTs) as they provide early clues about system compromises. This allows teams to take protective measures to mitigate damage by stopping attacks early on.

Under this definition, IOCs refer to any suspicious activities that indicate a system is compromised or under active attack. For example, malicious IP addresses in access log entries, unusual files on endpoint devices' hard drives or network storage, and abnormal network activity are all examples of IOCs that security teams should examine closely.

IOCs are essential when developing a reactive cybersecurity strategy to contain security incidents; however, a comprehensive cybersecurity defense plan also requires a proactive approach, which is where the indicator of attack (IOA) comes into play.

What is an indicator of attack?

An indicator of attack (IOA) is any sign that someone is trying to infiltrate the target IT systems and network. These indicators are caught before any damage or successful breach occurs and are used by security teams to boost cyber defenses and prevent attackers from exploiting the system and conducting a data breach.

The main difference between IOC and IOA is that IOA focuses on identifying the activity associated with a cyberattack while the attack is happening. In contrast, IOCs concentrate on identifying what happens after the attack has been successfully carried out and criminals try to gain a foothold in the target IT environment. IOAs represent proactive threat-hunting signals, while IOCs constitute reactive forensic evidence.

IOC symptoms

Different IOC symptoms signal a data breach or an active attack is underway.

Abnormal network traffic - Such as connecting to a malicious IP address or detecting unusual network traffic, such as moving large files from the finance department network segment to the email storage server. Here are some resources for finding malicious IP addresses that have been used in previous cyberattacks:

Login Attempts - Many failed login attempts that finally succeed or unusual user behavior such as accessing sensitive files after business hours or during holidays

Changes to system files - Detecting changes to operating system files, such as registry in Windows or other essential configuration files such as startups, is considered a potential malware activity

Suspicious running process - The existence of suspicious processes and services running on the target system or network is a potential IOC

File hash values - Unique cryptographic signatures of known malware that match against files discovered in the IT environment

Command and control communications - Outbound connections to known malicious servers or unusual connection patterns that indicate a connection to C2 infrastructure that happen during ransomware attacks

DNS request anomalies - Initiating unusual DNS queries, particularly to newly registered or known malicious domains. You can retrieve domain name information from the following WHOIS services:

Privilege escalation events - Unexpected elevation of user permissions or access rights within the target IT environment

Memory forensics artifacts - Suspicious code fragments, strings or structures found in system memory dumps

Monitoring network traffic entirely requires a mix of tools and human expertise to identify IOCs and trace them to their origin. The emergence of artificial intelligence (AI) and machine learning (ML) technologies has boosted this capability. It allows CSIRTs to sift through massive amounts of network traffic and log data to identify IOCs more efficiently and in a faster time.

Security Information and Event Management (SIEM) systems also serve as critical infrastructure for aggregating, correlating and analyzing potential IOCs across the enterprise IT environment. On the other hand, threat intelligence feeds boost detection capabilities by providing current information about emerging threats.

Here are links to popular threat intelligence feeds:

Why should organizations monitor for indicators of compromise?

By monitoring for indicators of compromise (IOCs), organizations can better detect and respond to threats making it an important element of a robust cybersecurity defense strategy. Here are the main benefits of this approach:

  1. Reduce dwell time by detecting early attacks: Dwell time is how long a threat actor stays undetected in a network. Detecting IOCs will significantly help reduce the Dwell time and subsequently reduce the damaging impact of successful cyberattacks. The 2023 Ponemon Institute report shows that delayed response increases costs. For instance, insider threats taking over 91 days to detect cost an average of $18.33 million per year.
  2. Boost incident response capabilities: In addition to providing clues about potential cyberattacks, IOCs provide context about the attack, such as the tactics, techniques and procedures (TTPs) leveraged by threat actors. This allows the implementation of a faster and more effective incident response strategy. For example, during the 2020 SolarWinds breach, organizations tracking IOCs like unusual DLLs and network activity detected and contained threats faster.
  3. Lower financial impact resulting from data breaches: According to Statista, the global average data breach cost is 4.88 million USD. Detecting IOCs early can greatly reduce large-scale data exfiltration or system downtime. This will significantly reduce the financial impacts of such incidents
  4. Improve threat intelligence sharing across companies in the same industry: IOCs can be easily shared between organizations in the same industry and sharing the same cyber threats. This can efficiently enhance collaborative cyber defenses and enable other companies to avoid falling victim to the same threat actors. For example, after the WannaCry ransomware attack in 2017, organizations shared IOCs like malicious IP addresses and ransomware file hashes; this enabled other companies to stop the ransomware before it infects their IT systems

IOCs types

In the cybersecurity context, there are six types of IOCs:

Host-based IOCs

These indicators are related to the host or computer. They include any suspicious activities executed on host devices, such as changes to operating system configurations, registry modifications, changes to startup programs or changing firewall rules. They also include other suspicious activities on the host level, such as unexpected network connections, unusual process execution, increased CPU or memory usage and log tampering.

Network-based IOCs

This type includes many signs, such as outbound communications with external servers or malicious IP addresses. These could signal communication with a command and control server to execute ransomware, download additional malware to the system or attempt data exfiltration. Other signs could be using unusual ports for communications, such as sending large volumes of web traffic over port 6667 (often associated with IRC) instead of sending it over port 80 (HTTP).

File-based IOCs

This is concerned with the characteristics of individual files to determine if they are malicious. For instance, it involves finding files or file hashes (e.g., MD5, SHA-256) that are associated with malware or the presence of known malware executables, DLLs (Dynamic Link Libraries), scripts or documents.

Email-based IOCs

These IOCs aim to identify malicious emails that attempt to deceive users or deliver malware. For example, identifying malicious email addresses such as:

  • Spoofed sender addresses - Such as an email pretending to be from your bank while it is sent from a free email service like Gmail or Proton mail
  • Typosquatting emails - These are emails sent from addresses that closely resemble legitimate ones, such as: sender@google.com vs sender@go0gle.com or sender@company.com vs sender@company.net
  • Newly registered domains - Receiving many emails from domain names that are newly registered is considered a red flag or IOC

Behavioral IOCs

These IOCs look beyond static indicators (like file hashes or malicious emails) and focus on dynamic actions and patterns that suggest malicious activity. For example:

  • A sudden increase in privilege escalations – Such as a regular user trying to execute many applications using administrator privilege, which is not a typical action
  • A service account with low permission tries to access sensitive or core system files
  • Too many numbers of failed login attempts from a single IP address or user account outside business work hours
  • A user access files or folders they have never accessed before, particularly sensitive data. For example, an employee account in the marketing department tries to access sensitive files in the finance department

Registry-based IOCs

The Windows Registry stores OS and app settings. Malware tries to modify these settings to achieve persistence, execute malicious code or disable security features such as disabling installed antimalware solutions.

Key indicators in this context include:

  • Modifying startup keys, such as malware adding its executable files at the following registry keys:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • Malware disabling Windows Defender or other antivirus software by modifying registry keys

How do we convert IOC into actionable intelligence?

Converting Indicators of Compromise (IOCs) into actionable intelligence involves analyzing and contextualizing raw IOC data to enable effective decision-making and response. This process requires a mix of tools, techniques and expertise, as we will see next:

  1. Collect IOCs - Gather IOCs from various sources, such as threat intelligence feed, security tools (SIEM, EDR, firewalls) and incident reports
  2. Add context to collected IOC - Such as checking suspicious domain name information, analyzing suspicious files in a sandbox and geolocate collected IP addresses
  3. Correlate IOCs with internal data - For example, check a suspicious domain name with internal DNS logs to see if any system within your IT environment has communicated with it
  4. Prioritize IOCs based on risk severity - Not all IOCs have the same priority or severity level. For example, discovering a file hash related to a dangerous ransomware strain is more critical to handle than discovering a phishing domain name
  5. Map IOCs to specific adversary behaviors - For example, map the collected IOCs to MITRE ATT&CK framework to understand the attacker's methodology and objectives
  6. Create detection rules - Develop detection rules for security tools like SIEM, IDS/IPS or EDR based on the collected IOC. For example, create an alert in your SIEM solution to warn about any connection to a known malicious IP address
  7. Automate response actions - Automate the response actions in your toolset after identifying the high-confidence IOC. For example, block access to malicious domain names and IP addresses at the firewall level and quarantining files with known malicious hashes
  8. Perform threat hunting - Continually search for more IOC within your IT environment to identify hidden threats
  9. Share intelligence with other teams - Share intelligence with internal teams within your organization, such as SOC and IT, in addition to sharing the same information with external partners, such as ISACs to boost collaborative cyber defenses
  10. Update security defenses based on the insight of the collected IOCs - Such as batch security vulnerabilities, update firewall rules and improve employees' cybersecurity awareness training

The ability to convert IOCs into actionable intelligence is critical for modern cybersecurity operations. By implementing structured processes for IOC collection, contextual enhancement, correlation analysis and defensive operationalization, security teams can gain critical advantages in understanding adversary tactics, techniques and procedures (TTPs). This approach transforms isolated technical artifacts into a comprehensive understanding of adversary behavior and enables teams to move from reactive security postures to proactive threat hunting.

The most effective cybersecurity experts investigate threats at the source. Actionable intelligence requires interaction. For safe and compliant access, tradecraft practitioners at Fortune 500s rely on Silo: the digital investigations platform to protect their company and network from advanced threat actors.

Tags
Threat intelligence