Skip to content Skip to navigation Skip to footer

Indicators of compromise (IOCs) refer to data that indicates a system may have been infiltrated by a cyber threat. They provide cybersecurity teams with crucial knowledge after a data breach or another breach in security.

Computer security incident response teams (CSIRTs) use IOCs for malware detection, to enhance Sandbox security, and to verify the effectiveness of heuristic analysis. They are also used to detect and prevent attacks or to limit the damage done by stopping the attacks early on.

Indicators of Compromise vs. Indicators of Attack

Indicators of attack are different from IOCs in that they focus on identifying the activity associated with the attack while the attack is happening, whereas IOCs focus on examining what happened after an attack has occurred.

How Do Indicators of Compromise Work?

IOCs act as flags that cybersecurity professionals use to detect unusual activity that is evidence of or can lead to a future attack. There are several different types of IOCs. Some include simple elements like metadata and others are more complex, such as complicated code of malicious content. 

It is often helpful for information security professionals to gather several IOCs and then see if there is a correlation between them indicating details of a possible attack.

Most Common Indicators of Compromise

Unusual Outbound Network Traffic

Traffic leaving the network is an indicator that IT teams use to identify potential issues. If outbound traffic patterns are suspiciously unusual, the IT team can keep a close eye on it to check if something is amiss. Because this traffic originates from within the network, it is often the easiest to monitor, and if action is taken right away, it can be used to stop many kinds of threats.

Anomalies in Privileged User Account Activity

Privileged user accounts typically have access to special or particularly sensitive areas of the network or applications. Therefore, if anomalies are spotted, they can help IT teams identify an attack early in the process, potentially before it has done significant damage. Anomalies can include a user trying to escalate privileges of a particular account or use the account to access others with more privileges.

Geographical Irregularities

If there are login attempts from countries with which your organization does not typically do business, this can be a sign of a potential security compromise. It can be evidence of a hacker in another country trying to get inside the system.

Other Login Red Flags

When a legitimate user tries to log in, they are typically successful within a few tries. Therefore, if an existing user tries to log in many times, this may indicate an attempt to penetrate the system by a bad actor. Also, if there are failed logins with user accounts that do not exist, this can indicate someone is testing out user accounts to see if one of them will provide them with illicit access.

Swells in Database Read Volume

When an attacker tries to exfiltrate your data, their efforts may result in a swell in read volume. This can occur as the attacker gathers your information in an attempt to extract it.

HTML Response Sizes

If the typical Hypertext Markup Language (HTML) response size is relatively small, but you notice a far larger response size, it may indicate that data has been exfiltrated. The mass of data results in a larger HTML response size as the data is transmitted to the attacker.

Large Numbers of Requests for the Same File

Hackers often try again and again to request files they are trying to steal. If the same file is being requested many times, this may indicate a hacker is testing out several different ways of requesting the files, hoping to find one that works.

Mismatched Port-application Traffic

Attackers may exploit obscure ports as they execute an attack. Applications use ports to exchange data with a network. If an unusual port is being used, this can indicate an attacker attempting to penetrate the network through the application or to affect the application itself.

Suspicious Registry or System File Changes

Malware often includes code that makes changes to your registry or system files. If there are suspicious changes, that may be an IOC. Establishing a baseline can make it easier to spot changes made by attackers.

DNS Request Anomalies

Hackers often use command-and-control (C&C) servers to compromise a network with malware. The C&C server sends commands to steal data, interrupt web services, or infect the system with malware. If there are anomalous Domain Name System (DNS) requests, particularly those that come from a certain host, this can be an IOC. 

Also, the geolocation of the requests can help IT teams sniff out potential issues, especially if the DNS request is coming from a country where legitimate users typically do not hail from.

How Fortinet Can Help

The Fortinet IOC service can add an additional element of security to your network. FortiSIEM, FortiAnalyzer, and FortiCloud all use IOCs to protect your network. An instance of FortiAnalyzer generating IOCs, for example, involves the implementation of machine-learning methodologies to gather the IOCs and analyze the level of threat they present. 

FortiGuard Labs exchanges threat information with more than 200 threat analysis systems around the world. This results in about 500,000 IOCs generated every day and delivered to FortiSIEM, FortiAnalyzer, and FortiCloud.

FAQs

What are indicators of compromise (IOCs)?

IOCs refer to data that indicates a system may have been infiltrated by a cyber threat. They provide cybersecurity teams with crucial knowledge after there has been a breach of data or another breach in security.

What is the difference between indicators of compromise and indicators of attack?

Indicators of attack are different from IOCs in that they focus on identifying the activity associated with the attack while the attack is happening, whereas IOCs focus on examining what happened after an attack has occurred.

How do indicators of compromise work?

IOCs act as flags that cybersecurity professionals use to detect unusual activity that is evidence of or can lead to a future attack.

What are the most common indicators of compromise?

Some of the most common indicators of compromise include:

  1. Unusual outbound network traffic
  2. Anomalies in privileged user account activity
  3. Geographical irregularities
  4. Other login red flags
  5. Swells in database read volume
  6. HTML response sizes
  7. Large numbers of requests for the same file
  8. Mismatched port-application traffic
  9. Suspicious registry or system file changes
  10. DNS request anomalies