How Detecting Indicators of Compromise Can Stop Attacks
The cyber world doesn’t sleep. The end of the workday doesn’t mean an end to the threats that are constantly bombarding networks. In fact, many malicious attacks occur after hours because hackers know that IT security teams have their guards down during off-peak times. It is so important to have constant security monitoring in place to detect potential threats. Every network administrator and IT security officer should invest time in learning about the best ways to detect clues that a system has been compromised by an internal or external threat. Successfully protecting an enterprise from cyber threats requires a bit of detective work on the part of IT professionals. Luckily, there are many cutting-edge solutions that enable network administrators to stay on top of every bit of activity that takes place on a network.
Indicators of Compromise
An indicator of compromise (IOC) is something that alerts you to irregularities in a network’s activity patterns. While some of these indicators may be noticed by system users, most can only be detected by applications that continuously monitor for sudden changes. The most common IOCs include:
- -Logins and activity from unfamiliar geographical locations.
- -Logins from users that don’t exist.
- -Unusual outbound network traffic.
- -Changes in privileged user account activity.
- -Spikes in database read volume.
- -HTML response sizes that suggest attackers are extracting data.
- -Many requests for access to the same file.
- -Suspicious port-application traffic.
- -Suspicious registry or system file changes.
- -DNS request anomalies.
The Right Tools
IOCs are important because they can often alert network administrators to suspicious activity before hackers are able to go beyond superficial breaches. One small disturbance in network patterns can be an indicator of a far-reaching, invasive hack that’s intended to expose valuable information. What tools exist to help monitor for IOCs? Companies like ThreatSTOP that offer comprehensive solutions for operationalized threat intelligence. It is impressive because it covers so many aspects of network security under one umbrella. ThreatSTOP offers a research tool called Check IOC that allows users to access information about multiple aspects of a network in one place. The tool contains a registry that enables you to gain information regarding a domain simply by typing in its name into the query field. The result will include a list of related records regarding the targets where the domain is present is produced. In addition, the query can reveal the IP address a domain resolves to. This tool is so valuable to network administrators and security officers because it allows them to detect, research, isolate and expel a threat all in one environment. Check IOC also includes DNS lookup and “Who is” info that will expose the user information of the source behind unusual network traffic. It offers passive DNS information as well.
The importance of monitoring passive DNS should not be underestimated. Doing so will give you a baseline for what normal traffic patterns look like and provide context for spikes in activity. It is quite simple for a passive DNS database to identify any and all potentially malicious domain names associated with an IP address that has been flagged. This is a much quicker and more dependable method than sifting through DNS logs to identify suspicious activity.