Utilising Indicators of Compromise to Battle Cyber Criminals
Every successful incursion into a network will leave behind some form of trail that allows cyber admin teams understand the nature of the attack and thus help recognise similar attacks going forward. The story of the breach will be shared via the medium of network log files. Each compromised device will automatically record what has happened as the intruder leaps from one device to another across the network.
Cyber experts understand that log files can be invaluable when trying to piece together the what, where, how and when of a successful breach. To obtain the most value from log file data, and to identify any Indicators of Compromise, admin teams will benefit from using the GuardYoo Compromise Assessment platform to improve security.
What are Indicators of compromise?
Indicators of compromise assist cyber security experts and IT administrators in detecting network attacks, malware breaches, or other malicious activity. By searching for indicators of compromise, companies can identify breaches early and begin corrective action to prevent these breaches from achieving their end goal.
IOC’s can be described as anomalies within the network that help cyber teams identify malicious activity early, before real damage can be achieved. These irregular activities indicate a possible or in progress breach that could progress to sensitive data loss or network compromise.
IOC’s are difficult to detect; they can be in the form of basic metadata elements or sophisticated malicious code. The GuardYoo AI engine uses context to analyse previously undetected IOCs and looks for correlation to identify potential threats or incidents.
Indicators of Compromise vs Indicators of Attack
Indicators of attack focus on identifying attacker activity while an attack is in process, whilst Indicators of Compromise - identified as a result of carrying out a Compromise Assessment focus on the question: “What happened?” after a successful breach has occurred.
A proactive approach to detection uses both IOAs and IOCs to discover security incidents or threats in as close to real time as possible, however IOA’s often rely on identifying know attack techniques and known malware signatures whilst Compromise Assessment audits can also help identify new attack strategies.
Examples of Indicators of Compromise
There are multiple examples of Indicators of Compromise that companies should look out for.
15 key indicators of compromise are as follows:
• Unusual Outbound Network Traffic
• Anomalies in Privileged User Account Activity
• Geographical Irregularities
• Log-In Red Flags
• Increases in Database Read Volume
• HTML Response Sizes
• Large Numbers of Requests for the Same File
• Mismatched Port-Application Traffic
• Suspicious Registry or System File Changes
• Unusual DNS Requests
• Unexpected Patching of Systems
• Mobile Device Profile Changes
• Bundles of Data in the Wrong Place
• Web Traffic with Unhuman Behavior
• Signs of DDoS Activity
Using Indicators of Compromise to Increase Detection and resolve
Searching for Indicators of Compromise allows companies to better detect and resolve cyber security incidents.
Using a platform like GuardYoo to gather and correlate IOC's means companies can quickly be alerted to cyber incidents that may have previously gone undetected by other cyber security solutions, GuardYoo provides the resources needed to perform detailed forensic analysis of incidents
If cyber security teams notice a recurrence or patterns of specific IOC’s they can update their other security tools and policies to protect against future attacks using similar techniques.
GuardYoo - A Global Repository for IOC's
There is a call for companies to report their analysis results in a consistent, well-structured manner to help other companies and cyber professionals automate the processes used in detecting, preventing, and reporting security incidents.
Industry leaders suggest recording IOCs and threats to help companies and individuals share information across the IT community as well as improve incident response and network forensics.
The GuardYoo platform can be used to record and consistently describe the results of data log analysis, this sanatised information can be shared across the cyber community to assist professionals in their fight against cyber criminals.
Indicators of compromise are a vital element in the war against malware and cyber attacks. Whilst they are reactive in nature, companies that use the GuardYoo platform to actively search for IOCs, and are knowledgeable regarding the latest IOC discoveries, can improve detection rates and response times significantly.
At GuardYoo we have been delivering automated Compromise Assessments as a service for many years and via our SaaS platform can provide a detailed cyber audit that whilst easy to consume, contains valuable information concerning an organisations true cyber posture.
Our Compromise Assessment audits will ensure that both the board and its management team have all the information needed to highlight current vulnerabilities and the risks associated with them.
For further information contact us at: info@GuardYoo.com