Indicators of Compromise (IoC)

(OBJ 2.4)

Indicators of Compromise (IoC)

• Pieces of forensic data that identify potentially malicious activity on a network or system
• Serves as digital evidence that a security breach has occurred
• Note: Not all signs of compromise guarantee an actual breach

IoC includes the following

• Account Lockouts

  • Occurs when an account is locked due to multiple failed login attempts
  • Indicates a potential brute force attack to gain access
  • The account lockout policies differ across systems
    • Some may lock after failed attempts
    • Other may increase the delay between login attempts to slow down the attacker
  • The account lockout duration depends on a system
    • Some systems may implement a temporary lockout where the account is automatically unlocked after a certain period of time
    • Other may require manual intervention by an administrator ro unlock the account to ensure that the suspicious activity is investigated prior to the unlock.
  • Balancing security with usability is crucial when implementing account lockout

• Concurrent Session Usage

  • Refers to multiple active sessions from a single user account
  • Indicates a possible account compromise when the legitimate user is also logged in
  • Example:
    • If an employee is logged into their account from their office computer, but another session from a different location is active at the same time it's a strong indication of a security breach.
    • It could have been a false positive since an employee could be logged in from different devices.
    • But be cautious when sessions are from far away places (other countries/continets)
      • Good sing of compromise

• Blocked Content

  • Involves attempts to access or download content blocked by security protocols
  • Suggests a user trying to access malicious content or an attacker attempting to steal data

• Impossible Travel

  • Detects logins from geographically distant locations within an unreasonably short timeframe
  • Indicates a likely account compromise as physical travel between these locations is impossible
  • "A single user cannot travel from New York to London in less than 5 hours, even if taking a plane"
  • Often you will see impossible travel and concurrent sessions usage grouped together since they often but not always occur simultanously.

• Resource Consumption

  • Unusual spikes in resource utilization
    • CPU
    • Memory
    • Network bandwidth
  • May indicate malware infections or Distributed Denial of Service (DDoS Attacks)
  • Example:
    • If a server that typically uses 20% of a CPU capacity and then suddenly humps to 90%, it could be a good sign that the server is under attack or has been compromised.
    • Browsing the web and your GPU is above 40%, maybe your machine is a zombie.

• Resource Inaccessibility

  • Inability to access resources like files, databases, or network services
  • Suggests a ransomware attack, where files are encrypted, and a ransom is demanded
  • Example:
    • If a user suddenly cannot access these files and receives a ransom note, this is an obvious and clear sign that they're a victim of a ransomware attack.

• Out-of-Cycle Logging

  • Log entries occurring at unusual times
    • Late nights or weekends when no one is expected to be working
  • Indicates an attacker trying to hide their activities during off-peak hours
  • Example:
    • Log showing activity at 3:00 AM

• Missing Logs

  • Sign that logs have been deleted to hide attacker activities
    • Attackers delete logs to cover their tracks and hinder investigation
  • May result in gaps in the log data, making it harder to trace the attacker's actions

• Published Articles or Documents

  • Attackers publicly disclose their actions, boasting about their skills or causing reputational damage
  • Can occur on social media, hacker forums, newspaper articles, or the victim's own website
  • Example:
    • A company's website is defaced with the message claiming that the Hacktivism group was responsible for the attack, this is obviously a clear sign that your website has been compromised.