I previously provided a brief overview of how Verisign iDefense characterizes threat actors and their motivations through adversarial analysis. Not only do security professionals need to be aware of the kinds of actors they are up against, but they should also be aware of the tactical data fundamentals associated with cyber-attacks most commonly referred to as indicators of compromise (IOCs). Understanding the different types of tactical IOCs can allow for quick detection of a breach, as well as prevention of a future breach. For purposes of this overview, iDefense breaks IOCs into three distinct categories: email, network and host-based. Show Email Indicators Advanced threat actors often use free email services to send socially engineered emails to targeted organizations and individuals due to ease of use and relative anonymity. Email IOCs can be revealed in a few ways:
Network Indicators Network IOCs are revealed through:
Host-Based Indicators These IOCs can be found through analysis of the infected computer within an organization’s enterprise. Host-based IOCs are revealed through:
Organizations need to be wary of the increasing number of IOCs and implement a system to measure and evaluate the quality of indicators accordingly. Having contextual information to accompany indicators is critical for a machine or a human to make better decisions around resource allocation and determine a proper course of action. . Creating a dynamic database comprised of all the elements, or data fundamentals, that make up the cyber threat landscape, and having them visually displayed in an interconnected contextual manner is a great way to enable people and machines to make better security and business decisions. Stay tuned for upcoming blog posts in which I will expand upon this concept and how the Verisign iDefense IntelGraph platform can help practitioners improve their security posture and allocate resources more effectively. Learn more about proactive threat intelligence from Verisign iDefense Security Intelligence Services by visiting VerisignInc.com/iDefense. What are examples of IOCs?Here are some of the more common examples of IoCs in operation:. Unusual Outbound Network Traffic. ... . Geographic Irregularities. ... . Anomalies in Privileged User Account Activity. ... . Log-In Anomalies. ... . Increased Volume in Database Read. ... . DNS Request Anomalies. ... . Large Number of Requests for the Same File. ... . HTML Response Size.. Which of the following is a type of IOCs?Types of IOCs
Hashes: SHA1,MD5 hashes of malware executables, PE files and malicious attachments that you can look up or create ones that you collect. Most folks call this as creating custom malware signatures. IPs: Known malicious C2 IPs, low reputation IPs.
What type of security information is primarily used to detect unauthorized privilege IOCs?4. What type of security information is primarily used to detect unauthorized privilege IoCs? Detecting this type of IoC usually involves collecting security events in an audit log. 5.
What are IOCs in security?Indicators of compromise (IOCs) serve as forensic evidence of potential intrusions on a host system or network. These artifacts enable information security (InfoSec) professionals and system administrators to detect intrusion attempts or other malicious activities.
|