Inside Zone: Indicator of Compromise (IoC)

Inside Zone: Indicator of Compromise (IoC)

An indicator of compromise (IoC) indicates a high probability of unauthorized access to a system—in other words, that the system is compromised. Detecting malicious activity early and preventing known threats are both achieved with such indicators.

Here are some examples of compromise indicators

A compromise may be indicated by the following:

  • Unusual DNS lookups,
  • Suspicious files, applications, and processes,
  • IP addresses and domains belonging to botnets or malware C&C servers,
  • A significant number of accesses to one file,
  • Suspicious activity on administrator or privileged user accounts,
  • An unexpected software update,
  • Data transfer over rarely used ports,
  • Behavior on a website that is atypical for a human being,
  • An attack signature or a file hash of a known piece of malware,
  • The unusual size of HTML responses,
  • Unauthorized modification of configuration files, registers, or device settings,
  • A large number of unsuccessful login attempts.

Utilizing indicators of compromise to identify and prevent compromises

Threat analysis helps identify the IoCs for a specific threat — what factors to associate with it. Cyber intelligence, for instance, may report IoCs such as file hashes, C&C addresses, etc. when it detects new malware.

A company’s infrastructure will be monitored for indicators of compromise in the future. If an IoC is detected on a system, it is likely under cyberattack, which requires certain countermeasures.

These indicators are also added to databases of passive monitoring tools and antivirus software, which can block intrusion attempts.

Using malware signatures, a security solution can detect and prevent malware from running on a device.

Thanks for reading!