What is an indicator of compromise (IOC)?
An indicator of compromise is a piece of digital forensic data that indicates a potential network breach. This information helps security investigators identify malicious or suspicious activity including threats, data breaches, and malware. IOCs can be collected during routine cybersecurity scans or manually if suspicious activity is detected.
Since IOC identification is primarily reactive, the discovery of an IOC typically means that an organization has already been compromised. However, this detection helps organizations to stop in-process attacks sooner and reduce the attack’s impact. In addition, investigating IOCs can be used to repair existing security flaws and create more intelligent detection tools. Comparatively, indicators of attack (IOA) are used in identifying attacks in real time.
Cyberattacks are becoming more sophisticated, which makes IOCs harder to detect so it’s important to know what to look for.
Examples of IOCs
- Repeated log-in activity indicating a brute-force attack
- Abnormal or inhuman network traffic patterns or traffic from a location unrelated to the organization
- Strange activity from admin accounts including requests for permission changes or other settings
- Mobile device application changes
- Increased database activity
- Multiple requests for the same file
- Finding large amounts of data stored incorrectly
- Domain Name System (DNS) request oddities
- Unfamiliar applications in the network
Accepted Risks of Not Investigating IOCs
If a company chooses not to investigate IOCs, it is putting itself in a vulnerable position. By leaving IOCs unexplored, companies are accepting the possibility of unknown risks in their systems that they might not be prepared for.
Data Loss
A major concern that comes with not investigating an IOC is the possibility of data unknowingly leaving the system. In this case, companies do not know definitively if data has been stolen, and if data is stolen, what that stolen data could be. Depending on the type of company, this data can be PII, PHI, credit card information, or customer and vendor data.
By accepting the risk of data loss, companies are potentially putting their customers at risk of fraud or identity theft. In addition, if data is leaked and discovered on the dark web, the company’s reputation is negatively impacted.
Private and public companies alike also need to consider the implications of ignoring an IOC when it comes to compliance requirements and requirements for reporting the loss of sensitive data.
Ransomware
By not investigating an IOC, companies can no longer confidently say their networks are secure. Ransomware is a threat to companies of all sizes and poses significant risk. If a company ignores the IOC, they are accepting the risk that their network could be compromised leading towards a possible data breach and ransomware event.
While the company is proceeding as usual, their data could be continuously exfiltrated and the network encrypted. Threat actors now have two ways to extort money from the company: the need for a decryption key and for keeping data from being released. There is also the potential that the longer this attack goes on, the larger the ransom amount is. By properly investigating an IOC as soon as it’s discovered, the earlier a potential ransom can be dealt with.
Why You Should Always Investigate IOCs
Ultimately, companies should not be ignoring IOCs. They have a duty to their customers and a legal responsibility to complete due diligence in these situations. While the company might get lucky that the IOC did not lead to a larger event, that is unlikely, and companies need to be prepared for the worst. If they accept the risks of leaving an IOC uninvestigated, they need to be prepared to be held accountable for their actions.
Being able to identify an IOC is a key component that every cybersecurity protocol should have.
At Blue Team Alpha, we can help. We offer a Compromise Assessment service that works to identify IOCs to determine if your system has been breached. We also offer Managed Security Operations Center (SOCaaS), which is a managed security service that provides continuous data analysis, threat intelligence, and security incident reporting. Contact us
today to learn more.
