An indicator of compromise (IOC) is a piece of evidence that suggests a network or device has been breached or accessed without authorization.
Here’s a quick look at these valuable cyberattack clues and how they’re used to make systems safer.
Everything You Need to Know About IOCs
What Is an IOC?
Just as real-world criminals leave behind traces of their activity — fingerprints, stray hairs, bits of thread from clothing, distinctive tread marks from shoes — so too do cybercriminals. These digital tidbits are called indicators of compromise (IOCs).
Though these minuscule clues take the form of data in system logs rather than physical matter at a crime scene, they’re still considered forensic evidence. And they’re among the most valuable components of any cybersecurity investigation.
What Are the Most Common Types of IOCs?
Unusual Network Traffic
When network traffic deviates from typical patterns unexpectedly, it’s a good sign that something’s amiss.
A cyberattack may cause spikes in inbound traffic from strange sources as the attacker enters the system. Likewise, an increase in outbound traffic to unknown servers suggests that an attacker is transferring stolen data out of the system.
Stay One Step Ahead of Cyber Threats
Unusual Privileged Account Activity
Administrators and other privileged users have access to sensitive data, critical system functions, and other restricted areas that attackers often target.
These users’ activity is thus subject to high scrutiny, and any anomalous events — unexpected requests for additional privileges, sudden activity spikes at odd times — serve as IOCs.
Unexpected System/Application Changes or Processes
Attackers often plant malware on their victims’ systems to make their jobs easier. This malware may be designed to automatically change system settings, alter registry keys, tamper with DNS configurations, or otherwise modify important OS or application files.
Alternatively, attackers may modify system settings manually. Either way, unusual changes to the system or its applications are common IOCs.
Anomalous Port Traffic
Applications and devices on a system use various ports to communicate with one another, and those communications follow predictable patterns.
But attackers often exploit little-used or unused ports to carry out their attacks. Any traffic passing through an obscure port — or odd changes to traffic in regularly-used ports — indicates that the system has been compromised.
Increased Database Activity
Attackers don’t always know the exact structure of the database they’re breaching, so they may spend an unusually long time digging through the database to locate their targeted data.
And to make their efforts worth it, they often exfiltrate it en masse once they do find it, causing an unusual increase in database read volumes.
Suspicious Logins or Access Attempts
Legitimate users usually log in successfully within a few attempts — or if they don’t, they take action to reset their passwords.
But an attacker trying to breach a system may use brute force to break in, making thousands of login attempts in a row. They may attempt to log in as an existing user, or they may test out different usernames and emails until they find a real account to compromise.
Most cyberattacks are carried out remotely, often from countries that the victims have no association with. Thus, sudden traffic to or from a country that an organization doesn’t do business in or with can serve as an IOC.
How Are IOCs Identified and Used?
The majority of IOCs appear in network and system logs, which record everything that happens on a system: every bit of traffic, every login attempt, and every setting change. Their comprehensive nature is what makes IOCs possible, but it also makes said IOCs difficult to spot in between the millions of lines of legitimate activity.
So cybersecurity analysts and other incident responders make use of AI and other advanced software to comb through the logs, identify typical usage patterns, and single out any anomalous entries as IOCS.
Once the IOCs are identified, analysts can piece them together into a timeline of the attack, mapping out the attacker’s actions to identify the weak points that were exploited — and the specific damages that were caused.
Depending on the exact IOCs in play, analysts may even be able to trace the attack back to its origin using IP addresses or other clues. And any vulnerabilities the attackers used to breach the system can be prioritized for patching in order to prevent future attacks.
Key IOC Takeaways
- An indicator of compromise, or IOC, is a piece of digital forensic evidence used to investigate cyberattacks.
- Most IOCs take the form of network or system log entries left behind by attackers, such as unusual login attempts, high volumes of traffic to/from unknown IP addresses, and unexpected system modifications.
- IOCs are used by cybersecurity professionals to understand the timelines and mechanisms of cyberattacks, and to identify vulnerabilities in the system that can be fixed to prevent further attacks.
History of IOCs
The concept of IOCs — digital clues left behind by hackers — has existed since the dawn of cybersecurity. And the term “indicator” has been used in a military context for decades, referring to a sign that enemy units are about to shift or take action.
But the term “indicator of compromise” first appeared in the 2003 book Incident Response & Computer Forensics, 2nd Edition. There, it was used in a more informal sense rather than as a reference to the independent concept of IOCs.
That formal usage wasn’t established until 2010, when cybersecurity company Mandiant gave the term its modern, widely-accepted definition in its annual M-Trends report. Today, IOCs are a critical concept in cybersecurity, and the industry is moving towards adopting a universal standardized classification and description system for them.
The infamous WannaCry ransomware first appeared in 2017 and quickly racked up billions of dollars in damages across 150 countries.
But investigators were able to prevent future attacks by identifying many IOCs, including the exact commands used by the attackers, several associated IP addresses, and dozens of MD5 and SHA-256 hashes.
LockBit 2.0 IOCs
The LockBit 2.0 ransomware caused a panic as it spread in 2021, but a few key IOCs were identified that helped to slow its spread.
One of the most notable was a language check run by the malware, as it was programmed not to infect those using Eastern European languages. Other IOCs included a litany of registry key creations and group policy updates to disable Windows Defender.
Unified Indicators of Compromise (IoC) (Video)
"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional