Video: How Bluecore protects PII, secrets, and credentials on Slack, Jira, and 1,500+ GitHub repos. Watch now ⟶
7 Indicators of Compromise: The Essential List for Breach Detection
Indicators of compromise are the red flags of the information security world. These helpful warnings allow trained professionals to recognize when a system may be under attack or if the attack has already taken place, providing a way to respond to protect information from extraction.
There are many indicators of compromise, depending on the type of threat. These indicators of compromise act as signposts to help cybersecurity professionals implement a business continuity plan, patch a vulnerability, or find an insider threat. Here’s what you need to know about indicators of compromise, a list of the most common indicators, and how to recognize these essential warning signs.
What is an indicator of compromise?
Indicators of compromise (IOCs) serve as forensic evidence of potential intrusions on a host system or network. An indicator of compromise offers a clue to help an information security professional find malicious threats: data breaches, malware, or even insider threat.
“Malware and other cyber attacks leave traces, like clues, in the system or log files,” said Chris Martinez, Nightfall expert. “These indicators of compromise provide key warning signs that all is not right and that potentially malicious activity is taking place, helping IT experts find and stop the problem before it becomes worse.”
The downside to indicators of compromise is that they are reactive, meaning if an administrator has identified an IOC, the system has already been attacked. Nevertheless, the more quickly an IOC is found, the more responsive an organization can be to patch a security vulnerability and perform triage as needed.
Indicators of compromise can be discovered manually and through automated tools like Nightfall. The ability to recognize an IOC is crucial for organizations that collect and work with sensitive user data.
The big Indicators of Compromise list
Indicators of compromise vary based on the type of malicious attack. Some indicators can seem relatively minor, such as unusual account behavior. Even minor events that seem out of the ordinary are worth investigating. Here are some common indicators of compromise that may indicate you have had a breach.
- Unusual outbound traffic
Organizations may already be monitoring inbound traffic, but outbound traffic is a good place to check to see if an attack is in progress. Unusual outbound traffic could indicate that a hacker is attempting to extract data or that the system is relaying information to a command-and-control server. Watch for large files moving at a faster-than-usual rate from your system, or outbound traffic happening outside normal business hours.
- Unexpected geographical locations
Monitor the IP addresses on your network to make sure you know who is using your network. For instance, if your business operation is based in Austin, Texas, it should raise red flags to see a user connecting from Toronto, Canada. Keep an eye out for IP addresses from countries that may have a reputation for international attacks.
- Anomalies associated with privileged user accounts
Privileged user accounts are often the target of cyberattacks because criminals know they can get access to more information and advanced settings. Typically, to gain access to an advanced account, a hacker will start by compromising a user account with low privileges. The hacker will then escalate those privileges or use a separate form of attack to gain access to a user with even more permissions. Watch for any unexplained user activity, such as a user that accesses a high volume of files or users that attempt to change their MFA permission settings.
[Read more: 5 Identity and Access Management Best Practices]
- Higher database read volume
Sudden attention to data at rest can also be an indicator of compromise. If your organization stores the majority of its valuable information in databases, keep an eye on your access logs. High database read volumes can be a sign that attackers are attempting to infiltrate your data.
- Distributed Denial of Service (DDoS) attack indicators
A DDoS attack takes place when a hacker attempts to shut down a service by flooding it with traffic or requests from a botnet. Monitor for slow network traffic, poor system performance, or even complete service failure. Indicators of DDoS are unique in that they both indicate that your system has been compromised and tell you the type of attack — a small silver lining as you’re trying to combat the issue.
- Unauthorized settings changes
If you see system files change in name, or the unauthorized modification of configuration files, registers, or device settings, these are all indicators of compromise. Unexpected changes to device settings and unscheduled software updates are also indicators of change. These unauthorized settings changes could show you that a user has infiltrated your system and is attempting to remove or copy files without detection. Or, they could use settings changes to download a piece of spyware disguised as an app.
- Compressed or bundled files in unexplained locations
This IOC could point to insider threat: a user or hacker has moved files into one location to make it easier to extract lots of information at once. If you see files that don’t go together being moved into one location, or files that shouldn’t be stored in a particular location, move quickly to prevent someone from extracting valuable information.
How to recognize indicators of compromise
Clearly, some of these indicators are easier to spot than others: you’ll quickly become aware of a DDoS attack, but be less certain if an advanced user is changing permissions on purpose. Depending on the size of your organization, there are a lot of indicators and moving parts to keep an eye on at once.
A platform like Nightfall can help. Nightfall uses AI to scan structured and unstructured data to discover, classify, and protect sensitive information based on its surrounding context. Nightfall takes the burden off IT and security teams to constantly monitor and manually look for policy violations. Nightfall’s classification is automatic and highly accurate, eliminating the time spent monitoring for indicators of compromise and quickly alerting security teams to potential issues. IT teams can use Nightfall to create automatic workflows that take action on sensitive data proactively, reducing the time spent manually responding to alerts and reducing mean time to resolution.
Learn more about how Nightfall can keep your information secure by scheduling a demo at the link below.
Subscribe to our newsletter
Receive our latest content and updates
Nightfall is the industry’s first cloud-native DLP platform that discovers, classifies, and protects data via machine learning. Nightfall is designed to work with popular SaaS applications like Slack, Google Drive, GitHub, Confluence, Jira, and many more via our Developer Platform. You can schedule a demo with us below to see the Nightfall platform in action.
Schedule a Demo
Select a time that works for you below for 30 minutes. Once confirmed, you’ll receive a calendar invite with a Zoom link. If you don’t see a suitable time, please reach out to us via email at firstname.lastname@example.org.