Indicator of Compromise (IoC) is characteristics and data that indicate that a computer system or network has been compromised. For example, they are unusual network activities, special files, entries in log files, or started processes. The indicators of compromise can be put into a structured form and evaluated automatically.
What is an Indicator of Compromise?
These are characteristics that can be used to identify the compromise of a computer system or a network. Characteristics can be, for example, entries in log files, unusual network traffic, specific files, individual processes, registry entries, or activities under a user ID.
In the case of a file as IoC, attributes such as file name, file size, hash value, or creation date can be used as identifiers. IoC can be put into a structured format that allows automated evaluation by protection systems such as intrusion detection systems (IDS). These systems help to detect threats to the infrastructure and subsequently defend against or eliminate them while they are still in their early stages.
Typical Indicators of Compromise
Indicators of Compromise can be divided into several areas. These areas are:
- User management
In these areas, certain information or data indicates a compromise. In the network area, these include traffic between certain IP addresses or ports, unusually high traffic, unusual DNS requests, unusual HTML requests or HTML response sizes, unusual browsing behavior, and others.
Other typical indicators from the other domains are unusual activities of an administrator account, a high number of login attempts, entries or warnings in a log file, an unusually high number of accesses to a certain file, file attributes such as file name, file size, hash value or creation date, suspicious registry entries, unusual software updates, changes to system files, unknown started processes or high resource usage.
Differentiation between Indicator of Compromise and Indicator of Attack
In addition to the term Indicator of Compromise, there is also the term Indicator of Attack (IoA). IoC and IoA can be distinguished relatively clearly from each other. While IoC can be used to detect a system that has already been compromised, Indicator of Attack can be used to detect an immediate attack that is currently taking place. This means that the attack can be averted before the system is actually compromised.
Automated use of IoC
Several initiatives exist to capture and present IoC in a standardized, structured form. The goal is to use the information for automated detection of suspicious activity. Formats that can be used to represent the information include OpenIOC or STIX (Structured Threat Information eXpression).
Systems such as scanners, firewalls, or intrusion detection and prevention systems that understand these formats allow the information to be read and automated detection to take place. TAXII (Automated eXchange of Indicator Information) provides standardized mechanisms for transporting, distributing, and exchanging indicator data and uses the STIX format. The standard enables organizations to easily share threat information and strengthens cyber defenses.
In addition to numerous commercial solutions, open source software exists that automatically searches for Indicator of Compromise. This includes, for example, the freely available forensics software Loki. It can be used on client systems, network drives, web servers, or domain controllers and scans the systems for indicators of compromise. The software uses a signature database and YARA rules, which it applies to files and processes.