Evidence that a system or an application has suffered a cyberattack is called an Indicator of Compromise (IOC). When an organisation’s system security has been breached, traces of the attack, such as evidence of unauthorised access, may linger. The organisation’s security teams may find these traces during a forensic investigation.
IOCs help organisations identify an existing breach and build resilience against IOCs from other cyber attacks. Depending on the nature of the cyberattack, an IOC can be as simple as an unauthorised IP address that has gained access to a system, found in a log file. However, in the case of advanced malware or viruses, for example, originating from an Advanced Persistent Threat (APT), an IOC might be the malware fingerprint. Many modern anti-malware and anti-virus software offers an IOC identification in the organisation’s network and include a database of known and shared IOCs.
It is standard practice in the industry to disclose and share IOCs. However, this is not done consistently across the industry. Frameworks such as STIX and TAXII define standards for documentation. The benefit of consistent reporting is in its reuse by other organisations to include in their monitoring systems. By detecting and responding to IOCs in real-time, organisations can build resilience against new malware or security vulnerabilities.
Indicators of compromise may include:
- Sudden spikes in network traffic
- Unauthorised access to systems, particularly from privileged accounts
- Virus and malware signatures
- Suspicious geographical origin of traffic
- Suspicious and unattributed files, such as applications or processes, in the organisation’s systems
Read an example of IOCs in a report from Sygnia’s Incident Response (IR) team which methodically tracked the Elephant Beetle threat group, an organised, significant financial-theft operation threatening global enterprises.