Indicator of Compromise (IoC)
The term "Indicator of Compromise", or IoC for short, actually comes from forensic analysis and refers to any form of information that indicates a high probability that an IT system has been compromised.
In the simplest case, an Indicator of Compromise is, for example, a file or malware that an attacker has left on a system. IoCs are more difficult if the company is not even aware of a possible compromise and the virus scanner does not detect anything. In this case, communication behavior is often used.
Network Communication as IoC
After infecting a system, many malware programs require a connection to a command & control server from which further malicious functions or commands to be executed are downloaded and to which confidential company data is uploaded. This is where modern IoC detection comes in.
Malware increasingly uses cryptographically generated domain names that regularly change after a few hours or a day in order to find out the currently valid IP address of the command & control server via DNS queries. Since domain registries often shut down domains used by malware quickly, frequent changes are necessary. The cryptographic generation also ensures that no domain list is found when analyzing the malware, which can be switched off in advance. The IP address of the C&C server can also change quickly if a cloud provider shuts down a server, for example, and a new server is put into operation with another provider.
Possible indicators of compromise in such a case would be:
- A client makes a conspicuously large number of strange DNS queries for domains that a user would not normally enter. For example, very long domain names or domains that consist of a random-looking combination of letters and numbers
- A client makes a conspicuously high number of DNS queries to uncommon and new top-level domains such as .email, .fit, .fail or .rest, which are known to be frequently abused by malware
- A client communicates conspicuously often with IP addresses from cloud services or with IP addresses from address ranges that are known for spreading malware
- A client transfers a conspicuously large amount of data to a server on the Internet, in particular more data is uploaded than downloaded
- In order to be able to recognize and use these indicators of compromise, however, extensive log files, e.g. for DNS queries, must be generated and evaluated automatically and promptly. This is the only way to ensure that compromised systems are identified at an early stage and damage to the company is averted.
Data Modification as IoC
After infection, ransomware encrypts files on the local system and on file servers in the network in order to subsequently extort protection money. However, it is always questionable whether a key to restore the data is issued or even exists despite the payment of protection money. Some ransomware also simply overwrites files with garbage without encrypting the files at all. These malware programs must therefore be detected as early as possible in order to minimize the damage caused.
An important indicator of compromise is therefore, if a large number of different files are changed on a client or a file server within a short period of time. In such a case, it should be possible to isolate the client in order to prevent further changes, at least temporarily, and to be able to investigate the case.
Our Service
We advise you on the selection of suitable IT security solutions that support the detection of unwanted activities by IoCs. We support you in identifying suitable IoCs based on your infrastructure and usage. We help you with the implementation, for example by connecting to a SIEM. If necessary, we implement suitable queries in your SIEM and provide technical support.
We also combine your SIEM with a Security Orchestration, Automation and Response (SOAR) solution.