An Indicator of Compromise is like a clue, I see a magnifying glass here. An artifact, a little piece of forensic data that’s found on a network, found on an application, found on an operating system that indicates that there might be malicious activity, there might be an intrusion or an attack going on right now.
They give you a good source of information about threats. They can help in the intelligence gathering process. What we do as organizational professionals is ,we do continuous monitoring to try to find IoCs and we detect. IoCs are also extremely useful in the response to a threat because I can take the IoCs and I can put them together and distill them in a way that can help with the forensic process that we see like over here. Then I can use them to stop future threats, evolving threats. IoCs, data shows that a system is compromised and how it’s been compromised.
If we look at IoCs, they are actually different types of indicators that can help us to detect threats. For instance, there are email indicators. These are used to send malicious data to target organizations by means of email. For instance, the sender’s email address, subject attachments, that header information could give us good email indicator. I could, for instance, take the email indicator that I find. This is an indicator of an attack and it’s coming from this domain, this IP address. I can actually take that IoC, feed that information into my security apparatus and block it, see how an IoC can be useful.
Same with network identifier. For instance, I see that someone is using a command and control server. There’s malware that’s been delivered looking at the operating system, the tasks like for instance, I could find URLs, I can find domain names and IP addresses that might be used as part of an attack. Again, how useful is this? I can take that information, feed it into my endpoint protection, feed it into my intrusion detection and prevention systems, and have those URLs, domain names, and IP addresses blocked and stop the attack. IoCs are useful with helping with defending the network.
I could have host-based indicators that has infected registry keys, mutex, DLLs, file hashes. I can take the hash of an executable that I found on an infected system and feed that hash into my endpoint protection then say if you see this file quarantine and or delete and protect my system because of the IoC that I found.
I could have behavioral indicators, like I said before, on that floor where everyone’s just doing phone answering and login into an app, one single app but there’s PowerShell, remote command execution, etc. What I can do is take those indicators and use them to block the sources of the attack that’s happening. IoCs, different categories, very important to see and understand.
