2

I'm struggling to understand what is an indicator of compromise.
I found different definitions on the web but I still don't know.

The definitions I found are:
1 - Something (file, network connection) that indicates a system has been compromised.
2 - An information about compromission

schroeder
  • 123,438
  • 55
  • 284
  • 319
John kazaz
  • 21
  • 3
  • Those definitions are fine. What are you finding difficult to understand? – schroeder Jan 03 '18 at 19:11
  • For me the difference between the two are like the difference between a malware and a malware signature. One I would say is an object, the other is a description of the object. I would like to know which of the two definitions is the correct definition of an IOC – John kazaz Jan 03 '18 at 19:27

1 Answers1

2

Short version: IOC basically are any piece of data that can be considered unsual on a system or network that could serve as a fingerprint of an attack or maybe an infection.

Example: One of the ways malware writers establish persistence within an infected host is through registry changes.

Imagine that malware.exe ALWAYS create a folder in C:\Tmp\WindowsAdmin666, so, if you have that folder, this could mean that you're infected, this is an IOC (Suspicious Registry Or System File Changes).

Long version: As "Digital Guardian" says, Indicators of compromise (IOCs) are “pieces of forensic data, such as data found in system log entries or files, that identify potentially malicious activity on a system or network.”

Indicators of compromise aid information security and IT professionals in detecting data breaches, malware infections, or other threat activity. By monitoring for indicators of compromise, organizations can detect attacks and act quickly to prevent breaches from occurring or limit damages by stopping attacks in earlier stages.

Indicators of compromise act as breadcrumbs that lead infosec and IT pros to detect malicious activity early in the attack sequence. These unusual activities are the red flags that indicate a potential or in-progress attack that could lead to a data breach or systems compromise. But, IOCs are not always easy to detect; they can be as simple as metadata elements or incredibly complex malicious code and content samples. Analysts often identify various IOCs to look for correlation and piece them together to analyze a potential threat or incident.

Examples of IOC include unusual network traffic, unusual privileged user account activity, login anomalies, increases in database read volume, suspicious registry or system file changes, unusual DNS requests and Web traffic showing non-human behavior. These and other unusual activities allow security teams monitoring the systems and networks to spot malicious actors earlier in the intrusion detection process.

If theory was confusing, then a good example might help to understand IOC, this document is from SANS: Using IOC (Indicators of Compromise) in Malware

Hope this helps.

galoget
  • 1,414
  • 1
  • 9
  • 15
  • So if I understand correctly an indicator can be: A - a file created by a malware. B - a registry key created by a malware. C - Some network connection to a malicious server; – John kazaz Jan 03 '18 at 19:22
  • All those options are IOC, but there are more types of IOC, you can check them in the link provided under [(Suspicious Registry Or System File Changes)](https://www.darkreading.com/attacks-breaches/top-15-indicators-of-compromise/d/d-id/1140647?) link, good luck! – galoget Jan 03 '18 at 19:48