You hear it on a daily basis. Indicator of compromise, but a lot of people actually do not know what an indicator of compromise is, and what it holds, and what action is expected after witnessing an indicator of compromise.
To make it even worse. There are people that only trust blindlyon threat levels.
Well, in this post we are going to take a strong look at what an indicator of compromise exactly is.
We can group indicators of compromise into multiple categories, let’s start with the basics:
- Unusual Outbound Network Traffic
- Unusual DNS Requests
- Unexpected Patching of Systems
- Mobile Device Profile Changes
- Bundles of Data in the Wrong Place
- Web Traffic with Unhuman Behavior
- Signs of DDoS Activity
- Anomalies in Privileged User Account Activity
- Geographical Irregularities
- Multiple failed log-in
- Increases in Database Read Volume
- HTML Response Sizes
- Large Numbers of Requests for the Same File
- Mismatched Port-Application Traffic
- Suspicious Registry or System File Changes
But again, this does not explain what an indicator of compromise in IT security is, well, here it comes.
An Indicator of compromise in IT security means:
That in the environment that is being monitored an event has taken place which has triggered one of the alerts that have been setup in order to inform the user that is monitoring the environment that something needs attention.
Did you notice that I ended my last sentence with the word attention? This does not mean action, attention means that the event should be viewed, it should be hold against a framework of actions, and the experience of the user should be taken into consideration when the decision has to be made if action should be taken or not.
The decision can be to take action, or to take no action.
How to use indicators of compromise
Indicators of comprise are alerts that you have setup – or which a dedicated security provider has setup for you. Once an indicator of compromise triggers, it should be watched and taken into consideration. Do not only focus on threat level alerts, and high alerts, cybercriminals know how to trick security solutions and in advanced threats, the attacker might even buy the security solution in order to view how it can traverse the network / environment as silent as possible ( low level alerts ).
Use them as a guideline into protecting your environment. Do take each event serious. We are talking security here.