Indicators of Compromise (IOCs)

Traffic leaving the network is an indicator that IT teams use to identify potential issues. If outbound traffic patterns are suspiciously unusual, the IT team can keep a close eye on it to check if something is amiss. Because this traffic originates from within the network, it is often the easiest to monitor, and if action is taken right away, it can be used to stop many kinds of threats.

Privileged user accounts typically have access to special or particularly sensitive areas of the network or applications. Therefore, if anomalies are spotted, they can help IT teams identify an attack early in the process, potentially before it has done significant damage. Anomalies can include a user trying to escalate privileges of a particular account or use the account to access others with more privileges.

If there are login attempts from countries with which your organization does not typically do business, this can be a sign of a potential security compromise. It can be evidence of a hacker in another country trying to get inside the system.

When a legitimate user tries to log in, they are typically successful within a few tries. Therefore, if an existing user tries to log in many times, this may indicate an attempt to penetrate the system by a bad actor. Also, if there are failed logins with user accounts that do not exist, this can indicate someone is testing out user accounts to see if one of them will provide them with illicit access.

When an attacker tries to exfiltrate your data, their efforts may result in a swell in read volume. This can occur as the attacker gathers your information in an attempt to extract it.

If the typical Hypertext Markup Language (HTML) response size is relatively small, but you notice a far larger response size, it may indicate that data has been exfiltrated. The mass of data results in a larger HTML response size as the data is transmitted to the attacker.

Hackers often try again and again to request files they are trying to steal. If the same file is being requested many times, this may indicate a hacker is testing out several different ways of requesting the files, hoping to find one that works.

Attackers may exploit obscure ports as they execute an attack. Applications use ports to exchange data with a network. If an unusual port is being used, this can indicate an attacker attempting to penetrate the network through the application or to affect the application itself.

Malware often includes code that makes changes to your registry or system files. If there are suspicious changes, that may be an IOC. Establishing a baseline can make it easier to spot changes made by attackers.

Hackers often use command-and-control (C&C) servers to compromise a network with malware. The C&C server sends commands to steal data, interrupt web services, or infect the system with malware. If there are anomalous Domain Name System (DNS) requests, particularly those that come from a certain host, this can be an IOC. 

Also, the geolocation of the requests can help IT teams sniff out potential issues, especially if the DNS request is coming from a country where legitimate users typically do not hail from.