For enterprise IT organizations, managing cyber security is an ongoing process of detecting and responding to suspicious events, responding to security incidents and improving the organization's security posture by updating processes and technology. Together, computer security incident response teams (CSIRT), security operations centers (SOC) and computer emergency response teams (CERT) work to establish and maintain security policy, proactively prevent cyber attacks and respond to events, incidents and disasters.
The search and discovery process associated with Indicators of Compromise (IoC) is a major component of the responsibilities of InfoSec and computer security professionals in IT organizations. Indicators of Compromise are unique data artifacts or signatures that correlate strongly with the existence of a security threat or a network intrusion that should be addressed.
Indicators of Compromise are pieces of evidence which suggest that a data breach may have occurred and that further investigation and engagement of the CSIRT incident response plan is necessary. IT organizations must develop the capabilities to recognize IoCs when they are present on the network and implement an effective incident response plan to eradicate the threat and recover the affected systems.
How do IT organizations learn to recognize Indicators of Compromise? Where do these indicators appear? Can IT organizations automate the search for IoCs, or does it have to be done manually?
IT organizations learn to identify IoC through a process known as enterprise threat intelligence. Threat intelligence refers to evidence-based knowledge that can be used to prevent cyber attacks. Threat intelligence can include context-dependent threat indicators, mechanisms of attack or attack vectors, indicators of compromise and other information.
IT organizations can develop threat intelligence through their own activities and interactions (discovering a suspicious event, identifying it as a security incident, correlating it with a specific type of attack from a specific source, etc.). More commonly, IT organizations develop threat intelligence by interfacing with external organizations, such as partner businesses, cyber security experts or consultants who maintain an up-to-date database of known cyber threats.
Indicators of compromise appear in the context of computer generated event logs. Each application or operating system has its own log file which records transactions between the system and its users. When a cyber attack is attempted against a server or application, a log is generated that can later be used as an indicator that the attack occurred. Such log entries are known as Indicators of Compromise.
IT organizations can use Security Information and Event Management (SIEM) software tools to aggregate log files from across the network into a single database and search that database for known Indicators of Compromise. With up-to-date threat intelligence, IT organizations can heavily automate the process of searching for IoC, leaving security analysts free to focus on innovation, as well as disaster recovery and incident response preparation and strategy.
Indicators of Compromise are the "red flags" of cyber security incidents. A security breach in a network or application could be indicated by the contents of a single event log, or there could be several event logs establishing a pattern of activity that indicates a security breach. IT organizations must collect threat intelligence to enhance their ability to recognize general and specific IoCs that could indicate a security breach.
We identify some of the most common IoCs that enterprise organizations should be equipped to detect and investigate:
Unusual Outbound Network Traffic - Keeping intruders out of your network is becoming increasingly difficult, but some experts say that it may be easier to monitor outgoing traffic for potential Indicators of Compromise. Unusual outbound network traffic may be detected when an intruder is attempting to extract data from your network, or when a compromised system is relaying information to a command-and-control server.
Unexpected Geographical Anomalies - If your entire business operation is based in San Francisco, California, you should be very surprised to see a user connecting to your network from somewhere else, especially from another country that may have a bad reputation for international cyber crime. Monitoring IP addresses on the network and where they originate is an easy way to detect cyber attacks before they can do real damage.
Unexplained Activities by Privileged User Accounts - In sophisticated cyber attacks, such as an advanced persistent threat, a common methodology is to compromise a low-privilege user account before attempting to either escalate its privileges and authorization or expose an attack vector to an account with even more permissions. When security operatives notice suspicious behavior coming from privileged user accounts, that could be evidence of either an internal or external attack on the organization's systems and data.
Suspicious Registry Changes - When a cyber attacker injects malware into your systems, the malicious code can create chaos by making changes to registries and system files that make it difficult for SecOps to quarantine and ultimately recover the affected systems. Some cyber attacks may try to install specialized software that necessitates changes to registry files, like packet sniffers that capture information exchanged on the network. It is often easier for IT organizations to detect these suspicious configuration changes that are made to support malicious tools on the network.
Indicators of Distributed Denial of Service (DDoS) Attacks - A DDoS attack happens when a malicious actor tries to shut down a service by flooding it with traffic and requests from a network of controlled machines, often called a botnet. Signs and symptoms can include slow network traffic, poor performance, excessive processor usage and often failure of the service. Unmitigated DDoS attacks can overwhelm the capacity of a network to exchange traffic and can even overload the SIEM tools that are used to detect them.
Sumo Logic maintains a current copy of CrowdStrike's threat database, updated on a daily basis to ensure that IT organizations have ongoing access to the latest threat intelligence from the most reliable sources. With a focus on quality over quantity, CrowdStrike's Intel Team assesses security threats and incidents, identifies and correlates Indicators of Compromise, and makes that data available to help IT organizations guard their assets against data theft.
Sumo Logic users can aggregate event log files from across their hybrid cloud environments and analyze the data for possible Indicators of compromise using threat intelligence from CrowdStrike's industry-leading platform.
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.