What are indicators of compromise (IOCs)?
Learn how to monitor, identify, use, and respond to indicators of compromise.
Indicators of compromise explained
An indicator of compromise (IOC) is evidence that someone may have breached an organization’s network or endpoint. This forensic data doesn’t just indicate a potential threat, it signals that an attack, such as malware, compromised credentials, or data exfiltration, has already occurred. Security professionals search for IOCs on event logs, extended detection and response (XDR) solutions, and security information and event management (SIEM) solutions. During an attack, the team uses IOCs to eliminate the threat and mitigate damage. After recovery, IOCs help an organization better understand what happened, so the organization’s security team can strengthen security and reduce the risk of another similar incident.
Examples of IOCs
In IOC security, IT monitors the environment for the following clues that an attack is in progress:
Network traffic anomalies
In most organizations there are consistent patterns to network traffic passing in and out of the digital environment. When that changes, such as if there is significantly more data leaving the organization or if there is activity coming from an unusual location in the network, it may be a sign of an attack.
Unusual sign-in attempts
Much like network traffic, people’s work habits are predictable. They typically sign in from the same locations and at roughly the same times during the week. Security professionals can detect a compromised account by paying attention to sign-ins at odd times of day or from unusual geographies, such as a country where an organization doesn’t have an office. It’s also important to take note of multiple failed sign-ins from the same account. Although people periodically forget their passwords or have trouble signing in, they’re usually able to resolve it after a few tries. Repeated failed sign-in attempts may indicate that someone is trying to access the organization using a stolen account.
Privilege account irregularities
Many attackers, whether they’re insiders or outsiders, are interested in accessing administrative accounts and acquiring sensitive data. Atypical behavior associated with these accounts, such as someone attempting to escalate their privileges, may be a sign of a breach.
Changes to systems configurations
Malware is often programmed to make changes to systems configurations, such as enabling remote access or disabling security software. By monitoring for these unexpected configuration changes, security professionals can identify a breach before too much damage has occurred.
Unexpected software installations or updates
Many attacks begin with the installation of software, such as malware or ransomware, that is designed to make files inaccessible or to give attackers access to the network. By monitoring for unplanned software installations and updates, organizations can catch these IOCs quickly.
Numerous requests for the same file
Multiple requests for a single file may indicate that a bad actor is attempting to steal it and has tried several methods to access it.
Unusual Domain Name Systems requests
Some bad actors use an attack method called command and control. They install malware on an organization’s server that creates a connection to a server that they own. They then send commands from their server to the infected machine to try to steal data or disrupt operations. Unusual Domain Name Systems (DNS) requests helps IT detect these attacks.
Why IOCs are important
Monitoring IOCs is critical to reducing an organization’s security risk. Early detection of IOCs enables security teams to respond to and resolve attacks quickly, reducing the amount of downtime and disruption. Regular monitoring also gives teams greater insight into organizational vulnerabilities, which can then be mitigated.
Responding to indicators of compromise
Once security teams identify an IOC, they need to respond effectively to ensure as little damage to the organization as possible. The following steps help organizations stay focused and stop threats as quickly as possible:
Establish an incident response plan
Responding to an incident is stressful and time sensitive because the longer attackers remain undetected, the more likely they are to achieve their goals. Many organizations develop an incident response plan to help guide teams during the critical phases of a response. The plan outlines how the organization defines an incident, roles and responsibilities, the steps needed to resolve an incident, and how the team should communicate to employees and outside stakeholders.
Isolate compromised systems and devices
Once an organization has identified a threat, the security team rapidly isolates applications or systems that are under attack from the rest of the networks. This helps prevent the attackers from accessing other parts of the business.
Conduct forensic analysis
Forensic analysis helps organizations uncover all aspects of a breach, including the source, the type of attack, and attacker goals. Analysis is done during the attack to understand the extent of the compromise. Once the organization has recovered from the attack, additional analysis helps the team understand possible vulnerabilities and other insights.
Eliminate the threat
The team removes the attacker and any malware from affected systems and resources, which may involve taking systems offline.
Implement security and process improvements
Once the organization has recovered from the incident, it’s important to evaluate why the attack happened and if there’s anything the organization could have done to prevent it. There may be simple process and policy improvements that will reduce the risk of a similar attack in the future, or the team may identify longer-range solutions to add to a security roadmap.
IOC Solutions
Most security breaches leave a forensic trail in log files and systems. Learning to identify and monitor these IOCs helps organizations quickly isolate and eliminate attackers. Many teams turn to SIEM solutions, like Microsoft Sentinel and Microsoft Defender XDR, which use AI and automation to surface IOCs and correlate them with other events. An incident response plan enables teams to get ahead of attacks and quickly shut them down. When it comes to cybersecurity, the faster companies understand what’s happening, the more likely they are to stop an attack before it costs them money or damages their reputation. IOC security is key to helping organizations reduce their risk of a costly breach.
Learn more about Microsoft Security
Microsoft threat protection
Identify and respond to incidents across your organization with the latest in threat protection.
Microsoft Sentinel
Uncover sophisticated threats and respond decisively with a powerful, cloud-based SIEM solution.
Microsoft Defender XDR
Stop attacks across endpoints, email, identities, applications, and data with XDR solutions.
Threat intelligence community
Get the latest updates from the Microsoft Defender Threat Intelligence community edition.
Frequently asked questions
-
There are several types of IOCs. Some of the most common are:
- Network traffic anomalies
- Unusual sign-in attempts
- Privilege account irregularities
- Changes to system configurations
- Unexpected software installations or updates
- Numerous requests for the same file
- Unusual Domain Name Systems requests
-
An indicator of compromise is digital evidence that an attack has already occurred. An indicator of an attack is evidence that an attack is likely to occur. For example, a phishing campaign is an indicator of attack because there’s no evidence that the attacker has breached the company. However, if someone clicks on a phishing link and downloads malware, the installation of the malware is an indicator of compromise.
-
Indicators of compromise in email include a sudden flood of spam, strange attachments or links, or an unexpected email from a known person. For example, if an employee sends a coworker an email with a strange attachment, it may indicate their account has been compromised.
-
There are multiple ways to identify a compromised system. A change in network traffic from a particular computer could be an indicator that it’s been compromised. If a person who typically doesn’t need a system begins accessing it regularly, that’s a red flag. Changes to the configurations on the system or an unexpected software installation may also indicate that it’s been compromised.
-
Three IOC examples are:
- A user account that is based in North America begins signing into company resources from Europe.
- Thousands of access requests across several user accounts, indicating that the organization is a victim of a brute force attack.
- New Domain Name Systems requests coming from a new host or a country where employees and customers don’t reside.
Follow Microsoft Security